Drupal Twitter Module Credential Exposure

["Justin C. Klein Keane" <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The full text of this advisory can also be found at
http://www.madirish.net/?article=447

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules.  The Twitter Module
(http://drupal.org/project/twitter) suffers from potential vulnerability
due to the fact that it could expose stored Twitter account credentials
to theft or exposure.

Systems affected:
- -----------------
Drupal 6.15 with Twitter Module 6.x-2.6 was tested and shown to be
vulnerable.

Impact
- ------
The Drupal Twitter module handles credentials in an unsafe manner,
allowing anyone with read access to the Drupal database, or with access
to network traffic between the Drupal server and the Twitter API, to
observe the full Twitter username and password for Twitter user
configured through the module.

Mitigating factors:
- -------------------
Twitter module must be installed and configured with user account
credentials.

Technical discussion and proof of concept:
- ------------------------------------------
The Drupal Twitter contravenes many of the stated Twitter "Secure Best
Practices." (http://apiwiki.twitter.com/Security-Best-Practices)

The module stores Twitter credentials unobscured in the Drupal database.
 Both user specific passwords and the global site Twitter account
credentials are stored.  The global passwords can be found in the Drupal
variable table:

mysql> select * from variable where name like 'twitter_global%';
+-------------------------+--------------------------+
| name                    | value                    |
+-------------------------+--------------------------+
| twitter_global_name     | s:16:"Twitter username"; |
| twitter_global_password | s:16:"Twitter password"; |
+-------------------------+--------------------------+
2 rows in set (0.00 sec)

User specific credentials can be found in the twitter_user table:

mysql> select * from twitter_user;
+-----+--------------+-----------+--------+
| uid | screen_name  | password  | import |
+-----+--------------+-----------+--------+
|   3 | twitter_name | twit_pass |      1 |
+-----+--------------+-----------+--------+
1 row in set (0.00 sec)

The inclusion of the full credentials in the database exposes these
credentials to theft by anyone with read access to the database.  This
includes anyone with sufficient permissions to craft PHP through Drupal,
which is a native function of many of the core and extended third party
modules.

Additionally when the module updates a Twitter feed status or verifies
account credentials it utilizes base 64 encoded, but unencrypted
connections, to pass credentials and update status messages rather than
the OAuth facility provided by Twitter
(http://apiwiki.twitter.com/OAuth-FAQ).

- -- 
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkt5hsIACgkQkSlsbLsN1gBYDAb+IxFbwW1JnQ9mRF5Cdn8nu/LZ
Q0Er+sMGqhqogIIi58n0RX08/x5FmMUdI5L8ryyEJ+YiaC+AGY/CicCH9a4boqgQ
6UCWioGLdsgXSqZsikvEM09G2ipF16/SM4i+IZJCREMlsfhAzrutJRr04nWx/bkl
n6qKpBrgEJaoymn27DxTAffczF6aD4NweOk7yh1ZJiocpTNdEUGWH2E3iwzvJKzc
e8WH+MVX+O+PNeXBOP1saXmoj4UAkhGDKoGqsBpLVek8nIJBaU7IB1ZIR4ZDgOuz
L00owo31ZyWgL1qDazE=
=KMsh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/