Thursday, December 29, 2011

Know the platforms you use

The open source content management platform Drupal is widely used for both commercial and personal web pages. While using a ready-made content management system makes life easier by hiding some complexity, it also bears the risk that your web page has some functionality available you are not aware of and do not want to expose.

Many web pages based on Drupal are used as personal blogs or just offer some company information. In these cases, Drupal is more or less just used to "hide the HTML stuff underneath". Drupal (and add-ons), however, can offer far more functionality such as discussion boards or community management.

One common functionality is the user registration, by default available at the URL path "/user/register". A lot of these interfaces can be found by a simple Google search (click here). In the cases shown, this is most likely desired functionality, where users should be able to register their own accounts and (depending on their rights) create or alter web page contents.

Sometimes, however, user registration interfaces just have been forgotten and they were never disabled after the initial installation. Although they are not linked from the normal web page contents, the relevant pages are still present. In these cases, an attacker might simply register his own account and, for example, modify web page data. This simple example shows that it is always important to have knowledge about the platform you use - be it a content management system like Drupal or be it infrastructure components such as application servers (JBoss, Tomcat, etc.)

In order to automate the task of finding and reporting Drupal user registration interfaces during security assessments, I created a simple script that uses the nmap scripting engine. More information about the nmap scripting engine and all the ready-made scripts that already ship with your nmap installation can be found here.

Unfortunately, I cannot add attachments to this blog post, so I paste the script here at the end, which makes the whole message a bit lengthy...


description = [[
Reports possible user registration pages of the Drupal CMS,
available at the URL path "/user/register". Some Drupal
installations have this functionalty unintentionally left open.
]]

---
-- @usage
-- nmap -p 80 --script drupal-registration-page.nse example.com
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | drupal-registration-page.nse: Possible CMS user registration
-- |_interface at: http://example.com:80/user/register

author = "mk"
license = "BSD license (3 clause)"
categories = {"safe", "discovery"}

require 'shortport'
require 'http'
require 'stdnse'

local url = "/user/register"

-- Strings that must be present in a working registration page
local positiveCriteria = {
"<form action=\"/user/register\"",
"<input type=\"text\" maxlength=\"64\" name=\"mail\""
}

-- Strings that must not be present in a working registration page
local negativeCriteria = {
"Access Denied",
"You are not authorized"
}

function portrule(host, port)
return shortport.http(host, port)
end

function action(host, port)
local httpResp
local msg = {}

-- Abort if the HTTP response is empty or not 200 OK
httpResp = http.get(host, port, url)
if httpResp.status ~= 200 or httpResp.body == "" then
return nil
end

-- Abort if known "access denied" strings are found
for k,v in pairs(negativeCriteria) do
if string.find(httpResp.body,v) then
return nil
end
end

-- Abort if known registration page strings cannot be found
for k,v in pairs(positiveCriteria) do
if not string.find(httpResp.body,v) then
return nil
end
end

-- Output message
msg[#msg+1] = "Possible CMS user registration interface at:"
msg[#msg+1] = port.service .. "://" .. host.targetname .. ":" ..
port.number .. url
return stdnse.strjoin("\n", msg)

end

1 comment:

  1. Selecting a Content Management System is extremely essential moving forward. I am a big fan of Drupal. Because Considering the most well known education websites like UC Berekely and USC use Durpal, everything clicked For hosting I build on GetPantheon including features like core updates on the dashboard which Content Management System have you used?

    ReplyDelete