Hi,
Big problems, I've been running a drupal site for about 2 years now and on 3 seperate ocassions in the past 2 months a regular user just suddenly becomes user1 with full admin privilages for no reason. I'm assuming this must be something to do with sessions getting mixed up? How that could happen though is a bit chilling :(
There is no foul play and all 3 users have no idea how it happened. The most recent occurance happened today, I went onto the site and noticed that posts I had made as user1 were now under another username. My user1 log n did not work, when I click the forgot password link and enter my user1 email address, and then click the one time login I can see that my account now has this other users name and picture, but still has my orginal email address and profile details, the only way to recover my user1 account is to change the username back to admin, change the password and remove the picture, but because the other users account BECOMES user1, once I do this they're account is gone. It's utterly disturbing!
Just in case, before this last occurance I have changed all passwords several times, user1 account, database, server etc. It's never a mysterious user up to no good, just people who have no idea why they visited the site and suddenly have admin privilages.
I have no user access or permissions modules installed either, not that it should have any effect on something as weird as this.
None of the database tables are labelled as crashed in phpmyadmin either.
The log shows nothing noteworthy, just shows the other user opening a session, posting a few things and then the session closing.
Anyone any ideas at all how or why this is happening? I have emptied the sessions table cause its the only thing I can think of doing. If I cant find an answer its bye bye drupal, this is an epic security failure of unimaginable proportions :|
Comments
consider the "how to report security issues"
please see this page about how to properly report a potential security issue (which this is):
http://drupal.org/node/101494
I am unsure is this is an
I am unsure if this is an actual flaw in the design of drupal, or something else, which is why I'm asking on here if anyone has ever encountered anything like this before.
I will of course report it as an official security issue if thats the correct thing to do.
Problue Solutions
Modules installed?
I would review the contributed modules that you have installed (if any) or custom modules. Some modules use user 1 for certain purposes and there could be a problem with the way that is being implemented.
Update all modules
I suspect this is not a Drupal core issue, but most likely a module doing something that it shouldn't. I suggest making sure you have the latest stable recommended version of Drupal installed and that all your contrib modules are up-to-date.
Check http://drupal.org/security/contrib to see if you have any of the modules for which there might be security advisories.
Don't be so quick to rule out 'foul play'. It is possible for a module that has XSS vulnerabilities to open up a hole where someone can attempt session-hijacking.
I would also recommend installing Simpletest and the Security Scanner module (http://drupal.org/project/security_scanner) on a copy of your site to do some penetration testing to find anything in your configuration that is leaving you open to cross-site scripting.
Thanks for the reply, when I
Thanks for the reply, when I say theres no foul play, I mean on the part of the actual users who became user1, I know these people and know that they have done nothing intentionally, but I guess its possible that someone else is hijacking their account. Its strange though that nothing malicious has ever been done once the user becomes user1.
I will follow your advice above, however my problem is that theres no real way to pinpoint what module is doing this or carry out tests, this problem might not occur again for months, so its not a case of just turning off modules one by one to find the culprit.
The drupal security team emailed me some example dangerous code that could cause this problem, so I might try opening every module file in a text editor and search for the string, it will take forever though and I still might not find it.
Problue Solutions
Security scanner is helpful
Security scanner is helpful because it will try to attack your input forms and inject malicious code - if there is a hole it might find it for you and identify which module has the vulnerability. Good luck with it!
This happened to me too, in
This happened to me too, in which user2's access logged user1 out and user1 could no longer login again and then user1's name was attached to user2's activities, this happened when two login sessions were open on the same client machine. The severity is, a normal user kicked the super user out for good. That's the power of users in drupal.
Sounds kind of similar but in
Sounds kind of similar but in your case there were 2 sessions open on the client machine, although its still a problem I wouldnt be so concerned about it if only I had control over the user accounts involved. In my case the sessions are getting mixed up on entirely different machines, if indeed it is actually sessions related.
I was given advice that the examples of code on the following link could be to blame for this:
http://heine.familiedeelstra.com/node/2177
Problue Solutions
The two incidents may be
The two incidents may be caused by a same problem, whatever that is, possibly related to drupal session and/or user handling.
Did you ever find out what
Did you ever find out what module was responsible on your site, or how did you solve it?
Problue Solutions
I didn't look into the
I didn't look into the problem, because I was just a few days drupal newbie at that time.