In early 2000's a hacker that goes by the pseudonym "Rain Forest Puppy" (RFP) broke into the bulletin board system for the security advisory group PacketStorm. He got administrative rights and stole about 800 passwords. There is a lot that the Drupal community can learn from RFP's attack. Packet Storm was using a web application, wwwThreads for its forum. Just like Drupal, the web application had a function to cleanse data from SQL abuses called quotes(). Quotes() did basically the same thing that placeholders in db_query() does in Drupal. But just like db_query(), quotes() isn't always used right. So even though there are definite differences between wwwThreads and Drupal, there are enough similarities that studying the hack is definitely worth our time. Rain Forest Puppy wrote a paper that chronicled his thinking and how he came about the attack. With a combination of white box (analyzing the source code) and black box (making educated guesses on live software), he was able to figure-out what he needed. The paper is a definite must read.

• Lesson #1: Obfuscation is not enough. We can make things work differently-- renaming install.php for example-- but that would only discourage the casual perpetrator who might go onto other sites looking for lower hanging fruit. But it won't stop a digital spelunker like RFP. While the copy of wwwThreads that was being used online was different than the free version he had downloaded, that only slowed RFP down a little. What he got from reading the source led him in some wrong directions, but gave him enough clues that he could guess his way back and let him wander around until he stumbled on the mother lode.


• Lesson #2: Security must be 100%. It only took a couple of mistakes for RFP to force the site to abide by his will. Most every variable that was passed via the Get header was cleansed correctly with Quote(), except for the couple he used. In the end it really didn't matter that the authors of wwwThreads were diligent in most cases. For security to be meaningful you need to use it 100% or it is 0%.


• Lesson #3: Having a central contact for security issues helps solve a lot of problems. wwwThreads was lucky RFP was ethical. He keeps security problems a secret with vendors that respond to him. If we didn't have a security team or if they did not respond then he would warn the world by disclosing the details of any vulnerabilities he found.


• Lesson #4: Do not deviate from our security model. While wwwThreads' model is different than ours, they have the same problems we do. If they kept to their model the problems wouldn't have occurred. They take a common route of cleaning information from the Get headers and putting them in different variables, where as at Drupal we get information that has passed through an additional abstraction layer and is passed to us through the Forms API (FAPI), sanitizes data from CSS injection just before it is output, and sanitizes the data agaist SQL injections just before db access. Our model is superior in my opinion, but a Drupal developer would do the same thing by not using FAPI or using their own or no database abstraction.


• Lesson #5: Drupal's passwords are still vulnerable. Having our passwords hashed is not enough. Not only can someone do what RFP did in 2000, but they can do what a Chinese professor did in 2005. RFP downloaded a copy of the hashed passwords and ran them through John The Ripper off line. The Chinese professor (see below) analyzed the hashes and did what was thought to be impossible-- she reversed them-- and did so 2000 time faster than checking each and every possible value. We can try using a more "secure" hash like SHA-512 but it will only take time before it is broken. Another approach is to salt the passwords thereby adding a level of complexity. There is a Drupal module that will do just that but with Drupal7's improved password handling the module won't be needed.
  

  An aside about the Chinese attack: In the last ten years the same person (Dr Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology) has broken the top 5 names in cryptography (HAVAL-128, MD4, and RIPEMD, MD5, and SHA-1). And she claims to have done it by hand without any major computer assistance. Since then others claim to have duplicated her work but the bottom line is that what was once thought to be safe is no longer secure.

• Lesson #6:Validate input whenever possible. While Drupal's parameterized stored procedures (db_query and it's placeholders) protects us from RFP's attack, we should still be validating any form information with the hook form_validate and the elements #validate in Drupal5 and #element_validate in Drupal6.

Rain Forest Puppy's paper: "How I hacked PacketStorm", A look at hacking wwwthreads via SQL http://www.wiretrip.net/rfp/txt/rfp2k01.txt Drupal's security counsel and "How to report a security issue" security@drupal.org http://drupal.org/node/101494 writing secure code in Drupal http://drupal.org/writing-secure-code dr Wang and MD5/SHA-1 http://www.schneier.com/blog/archives/2005/02/sha1_broken.html http://www.theepochtimes.com/news/7-1-11/50336.html salt module http://drupal.org/project/salt