Cash.Williams@Acquia.com
@CashWilliams
This is a presentation of security mistakes.
Why?
I enjoy learning this way, and its fun to see what other people do wrong!
Deploying development data to production during the initial deploy.
Site allows untrusted users to create content with insecure html (or PHP!!) content.
We're allowing everyone to use <iframe> because it is now an expected feature.
That was easy!
Exposing sensitive data with Views.
print $user->bio;
$form['bio'] = array(
'#type' => 'item',
'#title' => t('Bio'),
'#markup' => $user->bio,
);
Built to be a general AJAX autopopulate callback.
Developer set 'access arguments' = TRUE
to ensure it would always be accessabile.
$items['gethacked/cache/get/%'] = array(
'page callback' => 'gethacked_get_cache',
'page arguments' => array(3),
'access callback' => TRUE,
'type' => MENU_CALLBACK,
);
This function simply returns
the value of any cache ID.
function gethacked_get_cache($cache_id) {
$cache_table = isset($_POST['cache_table']) ? $_POST['cache_table'] : 'cache';
print cache_get($cache_id, $cache_table);
}
Allowing data to be set via a request.
function gethacked_set_cache($cache_id) {
$cache_table = isset($_POST['cache_table']) ? $_POST['cache_table'] : 'cache';
$expire_type = isset($_POST['expiry']) ? $_POST['expiry'] : 'CACHE_PERMANENT';
cache_set($cache_id, $_POST['cache_data'], $cache_table, $expire_type);
print $_POST['cache_data'];
}
function gethacked_autocomplete($args, $string) {
$matches = array();
$sql = t("SELECT tid, name FROM {term_data} td WHERE td.name LIKE '$string%'");
$res = db_query($sql);
if ($res->num_rows > 0) {
while ($row = db_fetch_array($res)) {
$matches[$row['name']] = $row['name'];
}
print drupal_json($matches);
}
}
Insecurly communicating with external authorization system.
Relying on an insecure cookie.