Contrib.social

Installer race condition, attacker could install faster than you

Open on Drupal.org β†’
Created on 11 June 2015, over 9 years ago
Updated 3 February 2023, over 1 year ago

This issue has been reported to the Drupal Security Team but it was decided to handle this as public security improvement.

Problem/Motivation

Reported by chx:

A starts installation.

A enters database credentials.

B browses to install.php?language=en&profile=minimal

B now skips the DB credentials since they are now in settings.php and might manage to finish system install first (especially if the DB driver has a lot to do in Install\Tasks) and then the install of A errors out so the install of B finishes and steals uid 1 and takes over your Drupal / server. Of course, when the install of A errors out, A is going to wipe the Drupal -- maybe before B finishes but maybe not. And even if A wiped, B can retry -- the settings.php is there. A and B are now racing who can start another install first...

Of course, this needs to be timed really, really precisely so I do not think this is a serious problem (how does B even know what URL to attack?). Nor do I think there's any way to mitigate this. But I am raising it anyways.

Not sure if this only applies to Drupal 7 or to Drupal 8 as well.

Proposed resolution

?

Remaining tasks

Discuss solutions, check if this also applies to Drupal 8.

User interface changes

none.

API changes

none.

πŸ“Œ Task
Status

Active

Version

9.5

Component
InstallΒ  β†’

Last updated 4 days ago

No maintainer
Created by

πŸ‡¦πŸ‡ΉAustria klausi πŸ‡¦πŸ‡Ή Vienna

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    A session cookie seems tricky - if you set up the database in settings.php (or drop and recreate a database for an already-installed site) then reinstall through the UI, aren't you essentially doing the same thing as someone who would be trying to exploit this? Being able to install from the UI with a pre-configured settings.php is a feature.

    I'm going to reclassify as a task after discussing this with @mstrelan in slack:

    1. The majority of sites are no longer installed on production. They're started on local environments or dev/staging servers, and then that database gets synced to production.

    2. Even if a site is installed on production, as noted in the original comments here, it needs to be discoverable, and unless it's been abandoned for a long time in the half-installed state described here, that won't be the case.

    However if we can come up with something that doesn't break existing use-cases then it wouldn't do any harm.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    unless it's been abandoned for a long time in the half-installed state described here, that won't be the case

    If a site is created and has an ssl cert the certificate transparency process (wikipedia and a better description) means it's a matter of hours for the site to be known. I forget the context, but I've seen some evidence that attackers are using the certificate transparency logs to identify sites to probe.

    I do agree with you that it's less common in 2023 to upload Drupal and install it on the site, but I guess there are bulk hosting companies where that is still the standard.

  • Comment over 1 year ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    This was a bugsmash daily triage target to which catch has responded, adding tag.

  • Comment over 1 year ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    Thinking about this a bit more:

    A session cookie seems tricky - if you set up the database in settings.php (or drop and recreate a database for an already-installed site) then reinstall through the UI, aren't you essentially doing the same thing as someone who would be trying to exploit this? Being able to install from the UI with a pre-configured settings.php is a feature.

    A possible idea to mitigate this.

    If we write to settings.php from the installer database form, we know we're in the UI installer, so we can write an additional flag $settings['installed_from_ui'] or similar (including a token if necessary) as well as a cookie. Then the next step(s) of the installer, can look for that as well as the cookie.

    That way if you set up settings.php manually, you're not prevented from installing via the UI. If you're working locally and want to re-install, you can delete that line from settings.php to remove the protection. Would make things a bit less disruptive to use-cases, and we can include a note in the error message (similar to update_free_access).

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024