When I did my first Unix system administration back in 1996 or so, I immediately did have a lot of respect for the beauty of Unix and system adminstrators who know, eat, sleep and dream Unix. Shortly after I got my first root prompt, there was this buzz, there was an option to bring down any Unix (and every other BSD TCP/IP stack) system with just one simple "ping command".

This was later knowns as the Ping of Death. This was an attack against the network layer of the OSI stack. Soon followed by even easier Denial of Service attacks like flood, smurf and the likes.

A couple of years later, attacks moved to a higher level, all the lower stuff was less easy to "hack". So we saw a lot of "buffer overlow" attacks in the late 90ies. This kind of attack is still happening, but most attention is now focussed to once again a higher level. So a couple of years back, we saw a lot of attacks on the application level.

For webservices, Cross Site Scripting (XSS) was the most used one. Most CMS-es, including better ones like Drupal did have these vulnabilities in them. And still, there are some Drupal modules that still have this kind of potential abuse in them. So when you do coding, it is not so hard to make code that can do what is should; match the functional requirements thet you or your customer defined. It is hard to make code that wont do what you dont want. Most customers are very good in describing what they want; to come up with a functional design. But nearly all of them fail to define what shouldnt

If you think you or your customer didnt define what shouldnt be possible, make sure you read the "How to handle text in a secure fashion" page on Drupal.org

When handling and outputting text in HTML, you need to be careful that proper filtering or escaping is done. Otherwise there might be bugs when users try to use angle brackets or ampersands, or worse you could open up XSS exploits.

In a year or two we will be done with these XSS exploits and label it as yesterdays news. But will we still suffer from "even higher" attacks like SQL injection with the automated test tools that are available for good or evil now?

Geenstijl.nl, Wees gerust en geen commentaar.

(This text was written for the drupal handbook but didnt quite fit in, so I am reposting it here)

In case you have images in your image gallery drupal site, people might link or deeplink to these images. Deeplinking an image from one site to another might is okay for some people who want to share information (pictures) and make them available on an other place. Other people might think of it as bandwidth theft, you are providing resources to be shown out of context on another site.

Deeplinking images is complex from a legal point, in some countries it is explicit allowed, others forbidden. However, preventing deeplinking images is a very simple thing if you are using Apache.

On this page you can find some information on how you can prevent “image theft” from within Apache. Note that this feature has nothing to do with Drupal, please search the web for answers, look for newsgroups regarding Apache or post in usenet, but don’t use the Drupal forums of IRC channels for support.

Prevention of bandwidth theft is based on something that is called “referrer” string, a text string your browser sends to the website when asking for an object telling the website from what URL the object was asked from. If this URL is a URL for your site (or a trusted site) the image will be served, in case the URL differs, the image will not show in the browser. There are some powerful things you can do with this method, like sending an image with text mentioning the URL of your website. However, please note that sending a fake referrer sting is trivial, users and robots can spoof the referrer rather easy. Some browser are configured not to send referrers are have bugs in sending referrers and some proxy servers don’t send referrers to protect the privacy for the users, changes are you will be blocking legitimate users as well.

If you still want to prevent the image deeplinking, there are two ways of doing this. You can make an accesslist on your image directory with a necessary referrer string to access it. Or you can use a method called rewring URLS’s (which is used for drupals clean URL option as well).

Both options rely on editing the .htaccess file of Apache. In the examples used for both ways we want to prevent deeplink images of the type GIF, PNG and JPEG. Other types or media can be added easy. The site they are hosting on –and should be in the referrer string- is www.example.com and is also known as example.com. Please change this domainname to you fully qualified domain name(s)

Now for the first method, go to your drupal install directory (usually the document root of your webserver) and look for a file called .htaccess. Make a backup copy of this file and edit it. At the end of the file add the following lines:

SetEnvIfNoCase Referer "^http://www.example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.example.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

You don’t have to restart your webserver process and please don’t change the “referer” typo in the configuration, it is there as a geeky tribute to a dyslectic Apache coder.

Save the file and try to see if you can still access images by (shift) reloading your website in a browser. If this still works, try to hot link a image from another site, you shouldn’t be able to see the picture. If something went wrong, restore the backup file and search for help outside the drupal.org community.

The second way of preventing deeplinking is more powerful but based on the same principles. In case the refferer string is not our site, we will serve another image called “please_do_not_hotlink_our_images.png” from the document root. Note that you will have to make this image yourself. Now make sure that you are using Apache as a webserver and that mod_rewrite is enabled. Once again, go to your drupal install directory and look for a file called .htaccess. Make a backup copy of this file and edit it. Search for a line called “RewriteEngine” and make sure that the next word is “on”, “RewriteEngine On”. In case you haven’t got this line and are sure you are using mod_rewrite, add the line yourself.

Now add the following lines after the “RewriteEngine On”

RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.( gif|png|jpe?g)$ / please_do_not_hotlink_our_images.png [L]
SetEnvIfNoCase Referer "^http://www.example.com /" locally_linked=1
SetEnvIfNoCase Referer "^http://www.example.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

Once again test it from your own site and another site and in case your site breaks or isn’t preventing image deeplinking, rollback your configuration file.

viruoffice.com (a drupal site) is nice. See this "HowTo Get Slashdotted

"How the heck do I drive traffic to my site?"
- Ficticious McGillicutty, President - Small Web Business, Inc.

"Dude, I got Slashdotted and my server is borked!"
- Nerdly Von Slashenheimer, Borked Server Owner

Here lies one of the great ironies of the web.

To a small business owner, driving interested customers to your site can be a daunting task. After investing in an online brand strategy, slick site design, shopping cart software and hosting service, it's typical to be nervous about the prospect of drawing enough customers to recuperate costs and make a profit.

How is it, then, that your average high school nerd can take a short break from Everquest, write a one paragraph blurb about something of nerd interest, and two days later be forced to deal with so much traffic that mom's dsl router overheats and reboots itself.

In this article, I'll show you how easy it is to get slashdotted and what this means to the average web business.

Packet Storm offers an abundant resource of up-to-date and historical
security tools. We are a non-profit organization comprised of security
professionals that are dedicated to providing the information necessary
to secure the networks world-wide. We accomplish this goal by
publishing new security information on a global network of websites.