Input formats - the quickest way to make your site insecure
Heine Sun, 2007/12/30 - 23:15
In a desperate attempt to balance my karma at the end of the year, a small public service post about the most popular way to make your site insecure. This is aimed at website administrators and developers. There will be no code (promise).
The best way to make your site and server an open playground for sociopathic script kiddies (including me) is to visit Administer » Site configuration » Input formats (admin/settings/filters), select the inviting radio button labelled 'Default' next to the PHP code input format and click 'Set default format'.
A good second way to make your site insecure is to allow 'anonymous' or 'authenticated' users to use the PHP code input format. Just follow the 'configure' link, and fill all these empty "Roles" checkboxes that are just begging to be filled. Adding the PHP evaluator filter to a user accessible input format is yet another gaffe.
Now, when the Googlebot pays you another visit and updates its index, everyone googling for the presence of certain helptext in the filtertips will find your site. They can then leave or preview nice comments such as the following between <?php ?> tags:
$GLOBALS['user']->uid = 1;
And Presto! they have administrator privileges immediately.
Yet another popular pitfall is to disable the HTML filter for input formats that are accessible to untrusted users (read: almost anyone). Now, users can embed ECMAScript or *gasp* Flash to make your browser do their bidding, should you ever view their comment.
If you think this is hypothetical; far from it. I used to google every month for these kind of issues and the harvest was always a rather pretty collection of sites. Among them various universities, open source projects, libraries and small blogs, but also (how ironic) a few Drupal shops and a number of sites dedicated to teaching Drupal. (Don't worry; I've mailed the ones I found).
Should you feel a little worried now; Good, go check your input formats!
For those of you who want to know more about input formats and how to use them, read Robert Douglass' excellent post Drupal Input Formats and Filters.
It's worth noting that the PHP evaluator filter moved to a separate module, disabled by default, in Drupal 6.