Ticket #804 (new maintenance)
Investigating the site security following SA-CORE-2014-005 (Drupal 7.32)
| Reported by: | paul | Owned by: | ed |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | Unassigned | Keywords: | |
| Cc: | Estimated Number of Hours: | 0.0 | |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 2.5 |
Description (last modified by paul) (diff)
It was discovered that TN could have have been compromised from the recent security vulnerability (even though we are running Drupal 6)
as the site is using the DBTNG module. However the site doesn't appear to have been compromised. I'll post my findings shortly.
Change History
comment:2 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 2.5
- Total Hours changed from 0.0 to 2.5
Updated DBTNG on production to the release following the security announcement
Nothing added to the menu_router table.
No PHP files in the files directory.
No new files[*] in the modules/ directory (All exploits that I have I seen so far involve adding PHP files/ to the module directory. I guess this is because core modules directory is a known where as the location of the contributed modules directory is an unknown) Let me know if you want me to dig deeper and try the contrib folder ..
No new roles.
No new users since October 15th.
No reported problems of users, with privileged roles, having access problems
$ diff -r www/modules modules
diff -r www/modules/openid/openid.install modules/openid/openid.install
145,207d144
< /**
< * Bind associations to their providers.
< */
< function openid_update_6001() {
< $ret = array();
<
< db_drop_table($ret, 'openid_association');
<
< $schema['openid_association'] = array(
< 'description' => 'Stores temporary shared key association information for OpenID authentication.',
< 'fields' => array(
< 'idp_endpoint_uri' => array(
< 'type' => 'varchar',
< 'length' => 255,
< 'not null' => TRUE,
< 'description' => 'Primary Key: URI of the OpenID Provider endpoint.',
< ),
< 'assoc_handle' => array(
< 'type' => 'varchar',
< 'length' => 255,
< 'not null' => TRUE,
< 'description' => 'Used to refer to this association in subsequent messages.',
< ),
< 'assoc_type' => array(
< 'type' => 'varchar',
< 'length' => 32,
< 'description' => 'The signature algorithm used: one of HMAC-SHA1 or HMAC-SHA256.',
< ),
< 'session_type' => array(
< 'type' => 'varchar',
< 'length' => 32,
< 'description' => 'Valid association session types: "no-encryption", "DH-SHA1", and "DH-SHA256".',
< ),
< 'mac_key' => array(
< 'type' => 'varchar',
< 'length' => 255,
< 'description' => 'The MAC key (shared secret) for this association.',
< ),
< 'created' => array(
< 'type' => 'int',
< 'not null' => TRUE,
< 'default' => 0,
< 'description' => 'UNIX timestamp for when the association was created.',
< ),
< 'expires_in' => array(
< 'type' => 'int',
< 'not null' => TRUE,
< 'default' => 0,
< 'description' => 'The lifetime, in seconds, of this association.',
< ),
< ),
< 'primary key' => array('idp_endpoint_uri'),
< 'unique keys' => array(
< 'assoc_handle' => array('assoc_handle'),
< ),
< );
<
< db_create_table($ret, 'openid_association', $schema['openid_association']);
<
< return $ret;
< }
<
<
diff -r www/modules/openid/xrds.inc modules/openid/xrds.inc
17a18,33
> // Since DOCTYPE declarations from an untrusted source could be malicious, we
> // stop parsing here and treat the XML as invalid. XRDS documents do not
> // require, and are not expected to have, a DOCTYPE.
> if (preg_match('/<!DOCTYPE/i', $xml)) {
> return array();
> }
>
> // Also stop parsing if there is an unreasonably large number of tags.
> // substr_count() has much better performance (compared to preg_match_all())
> // for large payloads but is less accurate, so we check for twice the desired
> // number of allowed tags (to take into account opening/closing tags as well
> // as false positives).
> if (substr_count($xml, '<') > 2 * variable_get('openid_xrds_maximum_tag_count', 30000)) {
> return array();
> }
>
diff -r www/modules/system/system.module modules/system/system.module
11c11
< define('VERSION', '6.31');
---
> define('VERSION', '6.33');
Sorry, doesn't appear to be compromised.