Jump to:
| Project: | PIFR Demo |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
So being the punk that I am, the first thing I did on my demo site was enable PHP module, then enter the following:
<?php
global $databases; print_r($databases);
?>This happily gave me my username, password, and database information:
Array ( [default] => Array ( [default] => Array ( [driver] => mysql [database] => pifr1272686382 [username] => testingadmin [password] => drupaltesting1 [host] => localhost [port] => ) ) ) It looks like while the database names are randomly generated (or semi-randomly; cyberswat noted it was a timestamp), the username/password looks to be the same across all demo sites.
To test this theory, I tried the following snippet from chx:
<?php
foreach(db_query('SHOW DATABASES') as $object) var_dump($object);
?>It happily barfed out 58 other databases on the same server, even "information_schema" which I don't think I should have access to even know exists.
I didn't go any further in my quest to be a royal troublemaker, but it definitely feels like there is room for improvement in locking these sandboxes down. :)
Other malicious things to test:
- Can I write to / delete from other users' databases?
- Can I write to / delete from other users' files directories?
- Can I send outgoing email?
- Can I view sensitive files on the underlying system like /etc/shadow?
- Probably 100,000 other things... be creative! :D
Comments
#1
Would like to know how we'll solve it, as Demo module tries to achieve something similar.
#2
Play with OpenVZ create a new VZ for every demo site, good luck breaking out from a virtual server.
#3
+1 for OpenVZ. That's the only possible solution.
This said, I'm still -1 on this general idea. Too much a hassle, too many security concerns, too many people that actually care about it, too few benefits.
#4
When I created demo.drupal.cz, I made sure to "patch" it to disable drupal_eval at all.
#5
You can do that, but then the problem is if someone's trying to test a bug related to drupal_eval(), they can't. However, that's a pretty extreme edge case. ;)
However, database credentials still apply, since you can't effectively lock down those without crippling the demo site.
#6
MySQL wise we can do several things, here are two:
BTW. if worry about running out of IPs then run a proxy on host and proxy per subdomain or per dir to a different VZ internal IP.
#7
We discussed this in detail with dww and cyberswat and as has been stated before security is something we cannot really enforce well. Just as with the patch testing clients anyway can demo any patch. Thus they could upload a patch that just hardwires Drupal to do something bad or just upload their own php evalutating module.
We just need to have the AMI re-installed every 24 hours and as we have already confirmed mail sending is not installed. The usefulness of the box outside of that is limited as a bot or what not if possible.
After a lengthy discussion we decided we had done all that made sense. Unless anyone has an good ideas I think we have done all we can, except possibly chx's thought, but I am not exactly sure what he is reffering to.
#8
I agree w/ Jimmy, doesn't make much sense to harden something which is temporary in nature and limited in it's ability to affect the outside world. I'm not really that worried about being able to mess with the databases / files of other tests runs. The only reasons I would be worried (and it would be good to make sure this isn't possible) is:
1. Can I setup a XSS attack by messing with test output... basically, anyway I can get malicious JS on d.o.
2. allow_url_fopen is on... I guess that's needed, but perhaps institute a b/w or request quota per demo site? Not sure this is possible w/o a VM, but maybe through some tricky apache stuff it would be...
Is there any other real threat besides someone making my awesome patch look broken?
I suppose if there wasn't sufficient review I could make someone's dangerous patch look like it passes :) That might get a committer to send it upstream. I don't see that happening in core, but it does give one pause.
-J
#9
Jacob: If my understanding of the problem is correct (which is somewhat unlikely at 4am,) one possible scenario is that two people start new demo sites around the same time. If the first person attempts creating a new account with their day to day password (yes, I realize that is HIGHLY unwise,) there could be a problem. All that would be required is for the second site to grab the {users} table from all available sites and they would have the hashed form of the user's password.
Taking this a little further, another possibility would be that site B rewrites the {system} table of all other available databases so that "modules/user/user.module" is replaced by "../notthedroids/modules/user/user.module". Suddenly, the password hashing algorithm used on all demo sites is $hashed = $prehashed;
I suspect that this feature would be most used by people who do not know how to patch an installation themselves. Because of this, I also suspect that they would be more easily lulled into a very false sense of safety "since my site (and data) will be removed later anyway."
OpenVZ does seem like the best solution. Second to it would be a something like suPHP. Either way, I'd hope to see a new database user (with very limited permissions) created for each installation.
(While we're suspecting malicious users though, I wonder how long it will take for someone to post / try a "patch" that completely replaces the Drupal file tree with WordPress... Either that or just changing $databases to something that is hosted somewhere else.)
#10
Just to clarify this server is not on the Drupal.org infrastructure, and is not using the drupal.org domain name.
It sounds like database user isolation is the best path, plus removing drupal_eval. Neither are complete solutions, but these are demo instances that will only exist for a few hours. The VM will be reset every few hours.
#11
There is absolutely no point in removing drupal_eval(), because the whole point of the testing site is *to test a patch*, so code injection is already possible *by nature*.
This whole project is a no-go, supposing that the module doesn't support spawning each demo site in a separate OS-level container (OpenVZ-type). I'll not run any demo server that doesn't support this.
#12
Well, we could always restrict this to releases...then at least we could demo any project (obviously that means we have to trust people with cvs access...but at somepoint we have to trust people...). I think patches would be great and just reset the server once a day. Not much more risk then browsing any other site...Just put a notice that says do not post personal data.
Passwords are random anyway...I dunno...if someone has nothing better to do they can hose the demo server and then it will be reset. Another note...we only need one demo server and it can be firewalled fairly heavily and as longs webuser != root there is limited damage to box itself. I'm not an expert, but the risk seems rather limited.
If someone wants to go ahead and implement OpenVZ or related that's great, but I don't have that kind of time. If not (as I suspect) then we should probably just restrict it to releases for now if it is still felt the security risks are too great.
Patching the demo site inself in anyway makes no sense for testing patches since they can do whatever they please. As for the db info that should be fried by pifr and we can firewall that stuff anyway.
#13
I don't think restricting projects to official releases solves the concerns voiced by Damien in #11. As he mentions, regardless of how stable the release the patch is being applied against is, the patch could simply revert security checks added in the stable release (accidentally or on purpose), or someone could just upload a patch that deleted the entirety of Drupal core and replaced it with code for a rootkit. :P We'd of course catch a blatant attempt to be a complete ass eventually, but maybe not until they'd wreaked some serious havoc.
Anyone with familiarity with OpenVZ know how much effort we're talking about here? Is it kind of "install and go", or will it require a bunch of work on the PIF[R|T] side to integrate..?
#14
I am talking about restricting the demos to only official releases...as in no patches.
#15
Oh. :(
Could we still do the "Download this patch + project together" on testbot results?
#16
I'm not opposed to sticking everything in OpenVZ containers and doing the work to make that happen but what it comes down to, from my perspective, is a question of resources. The current implementation shares an AMI's resources and can support a much larger set of demo sites vs the more resource intensive approach of having a container run each site. I'm not aware of how many containers can be run on a single machine but I would imagine we would need to start spawning a lot of machines to support this. Some of us are already paying a lot of out of pocket money to support Drupal's testing efforts as it is. Because of the complexity in the client setups and the demo setup our best effort has been to provide AMI's which fail at being able to utilize donated hardware. I can only imagine that using OpenVZ will further lock us into that problem.
Modifying the code to provide a download link of the code and not an instance isn't to difficult but if we go that route wouldn't it make more sense to just apply the patch in your own sandbox and not have to support this at all?
#17
No, this would still be a huge win. In order to even use the
patchcommand, you need special tools on Mac and Windows (which probably covers at least 80% of our users) that 99% of them don't have unless they go way out of their way to put them there. This would open up patch testing to thousands of others; if they already know how to download core and modules, they'd be able to help test patches (albeit not as optimally, as they'd need to go through the install each time).I understand the concern about further resource utilization, and the burden this places on test client providers. At this point I'm a bit out of my depth to know whether the security/resource trade-off is an acceptable one.
#18
The URL of the patch servers is not public, afaik, so I think it's a little harder to use hack those (but we should ideally harden them quite a bit more than the current).
As above - the demo servers while nice in theory sound likely to be a source of ongoing headache as they are hacked daily.
In terms of patch downloads, are we trying to build the patched tarball on demand, or as of patch submission?
#19
I think we'd just re-use whatever the packaging scripts are doing for install profiles. Which, afaik, is on the fly.
#20
I still think allowing this to function for releases so that all projects get a demo link or "try this" would be great. I feel like we ought to leave the patch part enable and only disable if we run into problems, but it seems there are some strong opinions there.
#21
my 2¢...
session.cookie_pathso that cookies are restricted to the particular demo instance (when we chatted at DCSF Jimmy indicated each instance would share an IP with many others, but be in a unique subdir).+1 on enabling this for themes too. Also +1 on not giving up, this has awesome potential.
#22
@grendzy everything you describe sounds like a perfect use case for OpenVZ