How to detect a Drupal Installation

On 15th October Drupal project disclosed a severely critical vulnerability SA-CORE-2014-005 in Drupal core. Durpal is one of the most commonly used Content Management System (CMS), apart from WordPress and Joomla. CMS helps in organizing and storing files of a website.

The vulnerability affects Drupal version 7.x, before 7.32, and some deployments of 6.x. An SQL injection vulnerability is present in Drupal’s abstraction API layer and an unauthenticated user can easily exploit it. More details about the vulnerability are available at PSA-2014-003.

Lets look into some signatures which can be used to detect a Drupal installation:

1. CHANGELOG.txt: A default Drupal installation will have a CHANGELOG.txt file present in the root folder of the website. The presence of this file helps in couple of ways, firstly, it affirms presence of Drupal CMS and secondly helps in extracting the version of the Drupal running on the website. One can check Drupal’s website to check how does this work.

2. HTTP Expire header: A default Drupal installation have value of ‘Sun, 19 Nov 1978 05:00:00 GMT’ for expires header. It is fairly a good signature as not many servers will keep exactly this value.

Expire header in case of a Drupal installation
Expire header in case of a Drupal installation

3. X-Generator HTTP Header:  A default installation also sends a ‘X-Generator’ header in the HTTP response with value ‘Drupal 7 (’ .

4. Looking for Drupal modules: In case above mentioned methods are disabled by the server admin (which is very likely), one can scan for Drupal specific plugins. An exhaustive list is available here.

Determining Version:

Above methods, apart from CHANGELOG.txt, can only give us only a yes/no. But if one need to go a bit further and wants to determine the version of Drupal running??

To solve this problem, one can use the fact that Drupal is an open source tool. Clone the Drupal code and look for the file which is most changed across various versions. One would prefer to look for javascript or css files, as these will be easy to fetch and unlikely to be changed by the website developer. In my short research I found using modules/color/color.js is a nice place to start with. Generate a SHA-1 hash of color.js across various versions of Drupal, then fetch this file from the website and hash and check against an already generated hash table to determine the version, or at least a range.  You can practice this technique here.

Will update this post in case I find some more signatures. If you know one and would like to share, please leave it in the comments below.

Keep hacking !! 😀

Concentrate on the means, end will follow

One thing that makes humans unique compared to the other life forms is the ability to simulate. The sleepless night before an exam, or hallucinations of all going wrong before a big meeting, in all these restless hours our brain is simulating the outcome. More often than not we find ourselves simulating one situation or the other, the situation could be of an event basking us in glory or beating us down to the abyss. In all this process, it is very human to forget about the build up towards the end. The work we are putting in to reach towards the end, the goal which we tend to simulate.

Like all other aspects of life, Vedanta philosophy discusses this aspect as well. One of the eminent proponent of Vedanta Philosophy, Swami Vivekananda in one of the discourses in Los Angeles in 1900, gave insight on this very issue. He said, “our great defect in life is that we are so much drawn to the ideal, the goal is so much more enchanting, so much more alluring, so much bigger in our mental horizon, that we lose sight of the details altogether. But whenever failure comes, if we analyse it critically, in ninety-nine percent of cases we shall find that it was because we did not pay attention to the means”. He puts stress on the fact that one should pay as much attention to the means as to the end. If the means are right, then the end should come. He went on to add, “it is the cause which produces the effect; the effect cannot come by itself; and unless the cause are exact, proper, and powerful, the effect will not be produced. The means are the cause: attention to the means, therefore, is the great secret of life.”

In Bhagwad Gita, the lure of the goal or the expectation is identified as one of the major cause of human suffering. Why you feel unhappy when you do not get a return smile? Its not because we smiled but the expectation of getting a smile. It doesn’t mean that you will not smile when you meet another person. The problem is not by what we give, but by what we expect. Thus, one should not get lured by the outcome and should continue to work towards the goal without any expectation. Constantly work with all your power; to put your whole mind in the work, whatever it be, that you are doing. Stop simulating the outcomes, bring your brain activities under your control. The outcome is not under your control, but the work you are putting in towards it, is under your control.

So in a nutshell, let us perfect the means; the end will take care of itself.