By beginner on

Surprisingly, I can't find a Security forum, so I post here instead.

In my logs, I find the following php error messages:

Type: php
Severity: error
User: Anonymous
Message:
Duplicate entry 'menu:0:en' for key 1 query: INSERT INTO drupal_cache (cid, data, created, expire, headers) VALUES ('menu:0:en', 'a:3:{s:10:\"path index\";a:180:{s:11:\"admin/block\";s:1:\"2\";... in /path/to/includes/database.mysql.inc on line 66.

There are three similar messages in a row.
Does it look like a hacking attempt on Drupal, or else, what is it?

Besides, for the last few weeks, I have been looking for a security policy, but in vain. I have contacted the security working group using the contact form, but I have not received any reply. There is no copy of the message and no acknolegment it has been received (for all I know, when I click post, it goes to > /dev/null).

I see some critical issues/bugs that have not been dealt with, and most surprisingly, I found myself having to explain to a seemingly senior Drupal contributor that a full path disclosure IS a grave security issue (at least potentially, i.e. grave enough).

I am not sure I feel very confident with the community's attitude towards security.

Thank you.

Comments

Steven’s picture

Steven commented

This is a known issue, which is due to a race condition in cache_set. It has been fixed in the development version. There is no SQL injection going on, Drupal should be safe against that: we have a db_query() API which has "%s" and "%d" markers in the SQL query, with the dynamic parts passed as separate arguments.

So, unless the module author chooses to not use this mechanism, SQL injection cannot happen.

If Drupal has a seemingly "lax" security policy, it's because security issues have been rare and until now always discovered ourselves before they can be exploited.

Perhaps this comparison of Drupal with other PHP software will ease your conscience:
http://sibowo.blogspot.com/2005/04/drupal-vs-wordpress-vs-postnuke-vs.html

As far as messages on the security form go, they are all received on a dedicated security mailinglist. I guess no-one has had time to reply yet. Sorry about that, but we all have day jobs...

--
If you have a problem, please search before posting a question.

beginner’s picture

beginner commented

Thank you very much Steven for your prompt and informative reply.

I can only guess what a "race condition" is, but from what I understand I don't need to worry about it and can safely wait until the next stable release of Drupal. Or do you imply that I should download this lone file /includes/database.mysql.inc and replace the current one with this one (wouldn't that break anything else?)

The message to the security list was posted a full week, maybe two weeks ago. I am aware you are all volunteers having other duties (job, family), so I apologize if I sound impatient.

About security, yes, I feel better seeing the document you share here, but I still wonder why within Drupal nobody seem to think that a full path disclosure IS indeed a security issue. Other projects would promptly send a patch if one were found:
http://www.google.com/search?q=%22full+path+disclosure%22+security
Drupal record would look slightly less impressive if it had done likewise. On the pie chart in the document, I see entries for "Exposure system info" and "Exposure sensitive info". A full path exposure could fall under either. Drupal shows 0% advisories for both, but in the few weeks I have been using Drupal, I have found already two ways critical info can be exposed.
http://drupal.org/node/22872

So? Are Drupal core developpers over confident?

http://www.reuniting.org/
Healing with Sexual Relationships.

Steven’s picture

Steven commented

On my server, my data is in /var/www/domain.name.com. It doesn't take a genious to figure that out. Otherwise, it doesn't really tell them much that they couldn't find out in more obvious ways. If they want to find out the Apache and PHP version, they can look at the HTTP headers.

But the one thing you may not do with Drupal is generalize. We are a bunch of different people with all very different backgrounds. Only one person is needed to make a patch and convince the others with good arguments why it needs to be committed.

PS: A race condition is a problem that occurs due to timing problems, typically when two simultaneous processes are "racing" with eachother for access to a resource. In this case, two anonymous users hitting your site with only a fraction of a second difference.

--
If you have a problem, please search before posting a question.

beginner’s picture

beginner commented

The proper url in sig should read:

--
http://www.reuniting.info/
Healing with Sexual Relationships.