Willy Dobbe - (d)DoS

Drupal coding: How to handle text in a secure fashion

Fri, 08 Sep 2006 00:54:18 +0200

When I did my first Unix system administration back in 1996 or so, I immediately did have a lot of respect for the beauty of Unix and system adminstrators who know, eat, sleep and dream Unix. Shortly after I got my first root prompt, there was this buzz, there was an option to bring down any Unix (and every other BSD TCP/IP stack) system with just one simple "ping command".

This was later knowns as the Ping of Death. This was an attack against the network layer of the OSI stack. Soon followed by even easier Denial of Service attacks like flood, smurf and the likes.

A couple of years later, attacks moved to a higher level, all the lower stuff was less easy to "hack". So we saw a lot of "buffer overlow" attacks in the late 90ies. This kind of attack is still happening, but most attention is now focussed to once again a higher level. So a couple of years back, we saw a lot of attacks on the application level.

For webservices, Cross Site Scripting (XSS) was the most used one. Most CMS-es, including better ones like Drupal did have these vulnabilities in them. And still, there are some Drupal modules that still have this kind of potential abuse in them. So when you do coding, it is not so hard to make code that can do what is should; match the functional requirements thet you or your customer defined. It is hard to make code that wont do what you dont want. Most customers are very good in describing what they want; to come up with a functional design. But nearly all of them fail to define what shouldnt

be possible.

If you think you or your customer didnt define what shouldnt be possible, make sure you read the "How to handle text in a secure fashion" page on Drupal.org

When handling and outputting text in HTML, you need to be careful that proper filtering or escaping is done. Otherwise there might be bugs when users try to use angle brackets or ampersands, or worse you could open up XSS exploits.

In a year or two we will be done with these XSS exploits and label it as yesterdays news. But will we still suffer from "even higher" attacks like SQL injection with the automated test tools that are available for good or evil now?

NRC has been geenstijled

Tue, 22 Aug 2006 22:15:09 +0200

Geenstijl.nl, Wees gerust en geen commentaar.

Preventing bandwidth theft for images deeplinking with Apache

Wed, 22 Jun 2005 10:22:49 +0200

(This text was written for the drupal handbook but didnt quite fit in, so I am reposting it here)

In case you have images in your image gallery drupal site, people might link or deeplink to these images. Deeplinking an image from one site to another might is okay for some people who want to share information (pictures) and make them available on an other place. Other people might think of it as bandwidth theft, you are providing resources to be shown out of context on another site.

Deeplinking images is complex from a legal point, in some countries it is explicit allowed, others forbidden. However, preventing deeplinking images is a very simple thing if you are using Apache.

On this page you can find some information on how you can prevent “image theft” from within Apache. Note that this feature has nothing to do with Drupal, please search the web for answers, look for newsgroups regarding Apache or post in usenet, but don’t use the Drupal forums of IRC channels for support.

Prevention of bandwidth theft is based on something that is called “referrer” string, a text string your browser sends to the website when asking for an object telling the website from what URL the object was asked from. If this URL is a URL for your site (or a trusted site) the image will be served, in case the URL differs, the image will not show in the browser. There are some powerful things you can do with this method, like sending an image with text mentioning the URL of your website. However, please note that sending a fake referrer sting is trivial, users and robots can spoof the referrer rather easy. Some browser are configured not to send referrers are have bugs in sending referrers and some proxy servers don’t send referrers to protect the privacy for the users, changes are you will be blocking legitimate users as well.

If you still want to prevent the image deeplinking, there are two ways of doing this. You can make an accesslist on your image directory with a necessary referrer string to access it. Or you can use a method called rewring URLS’s (which is used for drupals clean URL option as well).

Both options rely on editing the .htaccess file of Apache. In the examples used for both ways we want to prevent deeplink images of the type GIF, PNG and JPEG. Other types or media can be added easy. The site they are hosting on –and should be in the referrer string- is www.example.com and is also known as example.com. Please change this domainname to you fully qualified domain name(s)

Now for the first method, go to your drupal install directory (usually the document root of your webserver) and look for a file called .htaccess. Make a backup copy of this file and edit it. At the end of the file add the following lines:

SetEnvIfNoCase Referer "^http://www.example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.example.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

You don’t have to restart your webserver process and please don’t change the “referer” typo in the configuration, it is there as a geeky tribute to a dyslectic Apache coder.

Save the file and try to see if you can still access images by (shift) reloading your website in a browser. If this still works, try to hot link a image from another site, you shouldn’t be able to see the picture. If something went wrong, restore the backup file and search for help outside the drupal.org community.

The second way of preventing deeplinking is more powerful but based on the same principles. In case the refferer string is not our site, we will serve another image called “please_do_not_hotlink_our_images.png” from the document root. Note that you will have to make this image yourself. Now make sure that you are using Apache as a webserver and that mod_rewrite is enabled. Once again, go to your drupal install directory and look for a file called .htaccess. Make a backup copy of this file and edit it. Search for a line called “RewriteEngine” and make sure that the next word is “on”, “RewriteEngine On”. In case you haven’t got this line and are sure you are using mod_rewrite, add the line yourself.

Now add the following lines after the “RewriteEngine On”

RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.( gif|png|jpe?g)$ / please_do_not_hotlink_our_images.png [L]
SetEnvIfNoCase Referer "^http://www.example.com /" locally_linked=1
SetEnvIfNoCase Referer "^http://www.example.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

Once again test it from your own site and another site and in case your site breaks or isn’t preventing image deeplinking, rollback your configuration file.

Experiments In Slashdottery

Thu, 26 May 2005 09:11:22 +0200

viruoffice.com (a drupal site) is nice. See this "HowTo Get Slashdotted

"How the heck do I drive traffic to my site?"
- Ficticious McGillicutty, President - Small Web Business, Inc.

"Dude, I got Slashdotted and my server is borked!"
- Nerdly Von Slashenheimer, Borked Server Owner

Here lies one of the great ironies of the web.

To a small business owner, driving interested customers to your site can be a daunting task. After investing in an online brand strategy, slick site design, shopping cart software and hosting service, it's typical to be nervous about the prospect of drawing enough customers to recuperate costs and make a profit.

How is it, then, that your average high school nerd can take a short break from Everquest, write a one paragraph blurb about something of nerd interest, and two days later be forced to deal with so much traffic that mom's dsl router overheats and reboots itself.

In this article, I'll show you how easy it is to get slashdotted and what this means to the average web business.

packetstorm security

Fri, 30 Apr 2004 20:14:00 +0200

Packet Storm offers an abundant resource of up-to-date and historical
security tools. We are a non-profit organization comprised of security
professionals that are dedicated to providing the information necessary
to secure the networks world-wide. We accomplish this goal by
publishing new security information on a global network of websites.

new viri

Fri, 30 Apr 2004 20:08:00 +0200

A list of new viri from the makers themselves

slashdot slashdotted?

Wed, 14 Apr 2004 23:16:00 +0200

Slashdot is slashdotted. We will find out why in a couple of hours I quess.

GET / HTTP/1.1
Host: slashdot.org
...

HTTP/1.x 503 Service Unavailable
Content-Type: text/html
Content-Length: 169

xxx-awl-at-000

Sun, 15 Feb 2004 18:09:00 +0100

//phonespell. whats your name?

and justice for all

Thu, 05 Feb 2004 22:49:00 +0100

sco is going //down in a hard way. and the //results have something to do with it.

ms poster

Thu, 05 Feb 2004 22:28:00 +0100

See some security posters at //microso~1.com.

It seems that "the road ahead" on the m$ path is filled with some scary objects.

I have got one word for you....

//love

sco's ups and downs

Sun, 01 Feb 2004 20:20:00 +0100

There is a new virus in the wild, according to the elite magazine //winnetmag.com. It is called MyDoom, is targetting sco and is spreading, get this, according to the unbiased winnetmagazine, its spreading via UNIX mailservers:

A new email virus called MyDoom is spreading rapidly across the
Internet through UNIX mail servers, bringing with it a dangerous
attachment that, when opened, can give attackers access to users'
computers through an electronic backdoor.

Come again? A new virus? I quess they have been patching and hotfixing the Exchange servers too long in the basement and havent seen the daylight or read any newspapers the last couple of weeks.

But really?

...through UNIX mail servers...

Please get of our internet and stay down in your basement!

I have opened a lot of these mail in //my mailclient on my OS and still, no backdoor.exe running on //my system.

www.sco.com by the way is down, not due to dDoS of MyDoom but due to the fact that sco took out the A record out of the DNS

sco.com
origin = ns.calderasystems.com
mail addr = hostmaster.caldera.com
serial = 2004020103
refresh = 3600
retry = 900
expire = 604800
minimum = 1800

so:

host www.sco.com
Host www.sco.com not found: 3(NXDOMAIN)

See also //this netcraft posting as //well as this one. But //this posting on netcraft is one of the funniest ever found on netcraft.

A newsstory on //reuters is there for the non techies who just happen to visit willy by accident. Like all the newsstoys, journalist fail to see sco for what is really is. Journalist copy text from the sco pressreleases without asking questions. A dutch magazine ("Automatiseringsgids") said sco has shown "hard evidence". Yep, thats journalism in the Netherlands (and the RotW)

So why can some "amateurs" of the excellent site //groklaw //PROOF that the code sco claims that IBM put in Linux, has been put into Linux by ... sco. Yes, sco put the code under the GPLicence in Linux!

Groklaw needs to get the pulitzer price!

no mo cert

Sun, 28 Dec 2003 15:49:36 +0100

the //cert used to be a rather good source for security. with all kinds of full disclosure lists (such as the //bugtraq) the last couple of years, certs value has been devaluated rapidly. and with "tech articles" like //these, cert is giving in.

xs4all ddos-ed

Thu, 25 Dec 2003 21:58:00 +0100

since 17:50 i see in my watchdog process of drupal

25/12/2003 - 21:40 warning: fopen("http://www.xs4all.nl/nieuws/storingen/rss.php"

rather ironic, the storingen page is down...

so i tried to get the file in my browser and after a couple of reloads i got the file:

Thu, 25 Dec 2003 19:16:43 +0100

Er is op dit moment een DDoS gaande richting shell servers en
www.xs4all.nl. Hierdoor zijn beide services af en toe slecht
bereikbaar.

Excuses voor de overlast,

Cor

poor //cor. working on xmas. damm sciptkiddies! or is -conspiracy theory on- the //Co$ behind this?

anyway, website is reachable again. it isn't the //first time xs is dDOS-ed

update: dont know if related but xs4all.nl (note the missing www) has an error:

SSH-2.0-OpenSSH_3.7.1p1
Protocol mismatch.

sco's investor site at...

Mon, 25 Aug 2003 20:40:00 +0200

so if you are ~~sco~~ where would you host your //investor relation site [ir.sco.com]? well, where you want your investor to be, at IBM:
[root@kjell]# host ir.sco.com ir.sco.com is an alias for cald.client.shareholder.com. cald.client.shareholder.com is an alias for client.shareholder.com. client.shareholder.com has address 170.224.5.43 [root@kjell]# whois 170.224.5.43 [...] NetRange: 170.224.0.0 - 170.227.255.255 CIDR: 170.224.0.0/14 [...] NameServer: NS1.RALEIGH.USF.IBM.COM NameServer: NS2.RALEIGH.USF.IBM.COM [...]TechEmail: noc@ibm.com

willy thinks: in related news, sco's site has been //down for 3 days now due to a dDOS

white

Mon, 18 Aug 2003 21:52:00 +0200

white bloodcells to the //rescue