Input Formats and Filters

One of Drupal's great features is the input formats, which allow various roles to input different kinds of HTML content. One of the main purposes is ensuring that users with basic roles are limited to certain HTML tags and that they can't abuse those tags to execute XSS. You may want to limit anonymous users to style tags like <strong>, <em>, and <blockquote> but reserve more important and specific tags like <h2> and <embed> for advanced roles. The filter system goes beyond simple HTML tag filtering and can be used for additional purposes, such as transforming pseudo markup into real code the way the Inline module replaces [inline:filename.jpg] with <img src= "files/filename.jpg" >. Here are three easy steps to the safe use of the input system.

File Edit View History Bookmarks loo I s Help - 6 ©

£ http://crackingdrupal.conn/adiniri/user/periTiissions

, Cracking Drupal greg o Code review o My account ► Create content T Administer t Content management

► Site building t Site configuration T User management o Access rules o Permissions o Profiles o Roles o User settings o Users

► Reports o Logout

Home « Administer » User management

Permissions

Permissions let you control what users can do on your site. Each user role (defined on the user roles page) has its own set of permissions. For exam pie, you could give users classified as "Administrators" permission to "administer nodes" but deny this power to ordinary, "authenticated" users. You can use permissions to reveal new features to privileged users (those with subscriptions, for example). Permissions also allow trusted users to share the administrative burden of running a busy site.

anonymous user authenticated user

Power Users

Permissions let you control what users can do on your site. Each user role (defined on the user roles page) has its own set of permissions. For exam pie, you could give users classified as "Administrators" permission to "administer nodes" but deny this power to ordinary, "authenticated" users. You can use permissions to reveal new features to privileged users (those with subscriptions, for example). Permissions also allow trusted users to share the administrative burden of running a busy site.

anonymous user authenticated user

Power Users

block module

administer blocks

use PHP for block visibility

blog module

create blog entries

a

delete any blog entry

delete own blog entries

edit any blog entry

0

Figure 3-7 The many check boxes of Drupal's Permissions page

Step 1: Limit the Allowed Tags

By default, Drupal core provides two input formats: Filtered HTML and Full HTML. The default Filtered HTML configuration allows users to enter certain tags with known parameters that are difficult to exploit for XSS or CSRF. If you add in new tags, then it's possible that they will introduce vulnerabilities to your site. In particular, the following tags may enable users to attack your site.

CAUTION

Dangerous tags to grant to users:

SCRIPT, IMG, IFRAME, EMBED, OBJECT, INPUT, LINK, STYLE, META, FRAMESET, DIV, BASE, TABLE, TR, TD

Step 2: Limit Permissions

When you edit an input format, one of the options you get is the ability to change which roles can use the filter. Granting the use of advanced filters to low-privilege users can give them the ability to exploit your site. You should ensure that filters for Anonymous, Authenticated, and other low-level roles are limited to safe tags.

Step 3: Remove the PHP Filter

The input format system allows any user to run arbitrary PHP code, which is a feature but also quite dangerous since it potentially allows an attacker to use the full PHP capabilities to do whatever he wants. Even if you don't allow low-privilege roles to use the PHP filter, the existence of the filter on your site is a potential weakness. If an attacker gains access to the password or session of a user who can configure the input formats, then the attacker is able to configure the site in a manner that enables him to execute PHP.

In Drupal 5.x, the PHP filter was part of the core filter module, and to get some protection and remove it from the site you had to use the Paranoia module. In Drupal 6.x you can simply disable the PHP filter module and remove the code from the modules/ directory.

A quick way to evaluate the configuration of input formats is to simply log out of the site and then try posting content or a comment and looking at the input formats available to you. Figure 3-8 shows the formats available to an admin on a typical site.

I/Veb page a-d dresses ani e-rrall addresses turn Into Irnks automatically. Q Allowed HTML tags: cs? <ein> <Etrong? <code> <ul> <oi> <U> <dl> -idt?- <dd>

O Web page addresses aim e-rrall acdresses turn Into links automatically. Figure 3-8 The input format selector

If any of the filters on your site allow anonymous or untrusted authenticated roles to add any of the tags listed in step 1, then you have a problem. If a format available for low-privilege users does not say ''Allowed HTML tags,'' then it is not filtering tags and your site is at risk.

0 0

Post a comment