-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The full text of this advisory can also be found at http://www.madirish.net/?article=447 Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Twitter Module (http://drupal.org/project/twitter) suffers from potential vulnerability due to the fact that it could expose stored Twitter account credentials to theft or exposure. Systems affected: - ----------------- Drupal 6.15 with Twitter Module 6.x-2.6 was tested and shown to be vulnerable. Impact - ------ The Drupal Twitter module handles credentials in an unsafe manner, allowing anyone with read access to the Drupal database, or with access to network traffic between the Drupal server and the Twitter API, to observe the full Twitter username and password for Twitter user configured through the module. Mitigating factors: - ------------------- Twitter module must be installed and configured with user account credentials. Technical discussion and proof of concept: - ------------------------------------------ The Drupal Twitter contravenes many of the stated Twitter "Secure Best Practices." (http://apiwiki.twitter.com/Security-Best-Practices) The module stores Twitter credentials unobscured in the Drupal database. Both user specific passwords and the global site Twitter account credentials are stored. The global passwords can be found in the Drupal variable table: mysql> select * from variable where name like 'twitter_global%'; +-------------------------+--------------------------+ | name | value | +-------------------------+--------------------------+ | twitter_global_name | s:16:"Twitter username"; | | twitter_global_password | s:16:"Twitter password"; | +-------------------------+--------------------------+ 2 rows in set (0.00 sec) User specific credentials can be found in the twitter_user table: mysql> select * from twitter_user; +-----+--------------+-----------+--------+ | uid | screen_name | password | import | +-----+--------------+-----------+--------+ | 3 | twitter_name | twit_pass | 1 | +-----+--------------+-----------+--------+ 1 row in set (0.00 sec) The inclusion of the full credentials in the database exposes these credentials to theft by anyone with read access to the database. This includes anyone with sufficient permissions to craft PHP through Drupal, which is a native function of many of the core and extended third party modules. Additionally when the module updates a Twitter feed status or verifies account credentials it utilizes base 64 encoded, but unencrypted connections, to pass credentials and update status messages rather than the OAuth facility provided by Twitter (http://apiwiki.twitter.com/OAuth-FAQ). - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkt5hsIACgkQkSlsbLsN1gBYDAb+IxFbwW1JnQ9mRF5Cdn8nu/LZ Q0Er+sMGqhqogIIi58n0RX08/x5FmMUdI5L8ryyEJ+YiaC+AGY/CicCH9a4boqgQ 6UCWioGLdsgXSqZsikvEM09G2ipF16/SM4i+IZJCREMlsfhAzrutJRr04nWx/bkl n6qKpBrgEJaoymn27DxTAffczF6aD4NweOk7yh1ZJiocpTNdEUGWH2E3iwzvJKzc e8WH+MVX+O+PNeXBOP1saXmoj4UAkhGDKoGqsBpLVek8nIJBaU7IB1ZIR4ZDgOuz L00owo31ZyWgL1qDazE= =KMsh -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/