Topic: Exchange based on Drupal modules - page 2. (Read 4850 times)
No offense, but drupal is kinda heavy-duty for an exchange. Way too much overhead, unless you are very clever and skilled (at which point you hardly need drupal anymore)
Hi,
thank you for the discussion. It helps to bring things in the right direction.
The two issues you posted are not in the core Drupal code and both require higher access to Drupal to create content. Creating content requires the site admin to trust the user, he is giving the rights to create content. Furthermore, one of the modules is only used by 34 sites. And of course every code the site admin installs on the server can manipulate the Bitcoin module. Even putting the module for the bitcoin access into a sandbox will not help, since this sandbox could also be created by the attacker's code.
This holds for all sites handling cash. The site admin should remove (disable) needles code and check for security issues. It is not a special case for Drupal.
The exchange is not the major target. The target is to enable site owners to easily integrate bitcoin. The exchange is only an example with the hope some users try it out.
Hmm. Every PHP code running on the server can access the database, after reading the settings file of the original application to get the username and password. It is not a Drupal problem, its a PHP problem. As is am aware of it, this cannot be addressed with PHP. For this you would need some other software running on the server (maybe JSP).
Since you seem to know quite a bit about Drupal and maybe other software, do you have some other recommendation which would be more appropriate?
thank you for the discussion. It helps to bring things in the right direction.
The two issues you posted are not in the core Drupal code and both require higher access to Drupal to create content. Creating content requires the site admin to trust the user, he is giving the rights to create content. Furthermore, one of the modules is only used by 34 sites. And of course every code the site admin installs on the server can manipulate the Bitcoin module. Even putting the module for the bitcoin access into a sandbox will not help, since this sandbox could also be created by the attacker's code.
Quote
If you use Drupal for anything that handles cash you better disable every module you don't actively need and still check for updates twice a day. Even then you could still get hit by a zero day.
This holds for all sites handling cash. The site admin should remove (disable) needles code and check for security issues. It is not a special case for Drupal.
The exchange is not the major target. The target is to enable site owners to easily integrate bitcoin. The exchange is only an example with the hope some users try it out.
Quote
Drupal by its design makes security issues more likely and it makes them more serious when they happen. This is not because it's complex software, it's because it's not designed with security in mind.
Hmm. Every PHP code running on the server can access the database, after reading the settings file of the original application to get the username and password. It is not a Drupal problem, its a PHP problem. As is am aware of it, this cannot be addressed with PHP. For this you would need some other software running on the server (maybe JSP).
Since you seem to know quite a bit about Drupal and maybe other software, do you have some other recommendation which would be more appropriate?
In my opinion, every complex software will have security problems.
Drupal is a mass of PHP with no sandboxing or any other form of limitations placed on any module provided code. It's not insecure because it's complex software it's insecure because it's designed to be insecure. Now it might be the right tool for some websites but not for a BitCoin exchange. Any BitCoin exchange is going to have every cracker and script kiddie on the the internet trying to break it and drupal just isn't up to that.
How you can explain the security problems of Bitcoinica, Bitskalper, or any other more complex site?
These were sites managed or setup by people who were not up to the job. Bitcoinica may even have been an inside job, wasn't Zhou Tong caught handling the last lot of stolen coins?
I'm not saying Drupal is the only way to screw up, there are millions of ways to screw up without Drupal being involved.
Next thing you could say, how about the daemon or any other password (like the Google Authenticator secret).
They are all stored with 256 bit AES encryption with a random password stored on the file system, not in the database!
They are all stored with 256 bit AES encryption with a random password stored on the file system, not in the database!
The password must be available for Drupal to read or it can't be used. Putting it in a filesystem instead of a database doesn't improve security. There continue to be file inclusion security issues in Drupal that would let people read this password out of your file system, for example http://drupal.org/node/1719548 was discovered just 6 days ago. There are security issues that let you run arbitrary PHP code, perform SQL injection, run remote shells and countless other forms of mischief like http://drupal.org/node/1679442 discovered around a month ago. If you use Drupal for anything that handles cash you better disable every module you don't actively need and still check for updates twice a day. Even then you could still get hit by a zero day.
Drupal by its design makes security issues more likely and it makes them more serious when they happen. This is not because it's complex software, it's because it's not designed with security in mind.
Hi,
thank you for your feedback and concerns. I can agree with you partly.
You are right saying Drupal had serious security problems. I am allowed to take your argument in the following way?
Windows has a bad security history. Taking it for anything related to Bitcoin (even storing your private wallet) is a big security issue.
However, this would ignore the progress Windows made over year and even members of the Linux community have to admit, that Windows made important steps being more secure. The same holds for Drupal (http://www.itworld.com/security/157395/joomla-or-drupal-which-cms-handles-security-best?page=0,5). It would not be so widely used (even Symantec), if it would not be secure to a certain level. The bigger problem today is the site owner, who uses insure passwords or FTP to manage his site. So I cannot agree with you fully.
In my opinion, every complex software will have security problems. Drupal had already gone this painful way, most of the recently used Bitcoin related software not. How you can explain the security problems of Bitcoinica, Bitskalper, or any other more complex site? They are not using a framework with a bad security history. However, they were programmed from scratch bring the same security flaws as Drupal had. For Bitcoinnica it was a hard-coded password, if I remember correctly. Simple software as for example a mining pool can be very safe, since the complexity can be overlooked by one person.
Now the the point were I partly agree with you. Since we do not know, what security problems Drupal may still have, I do not relay only on Drupal. All withdraws (the most important to secure) need a 2 factor authorization. First is of course the Drupal login. Second a Google Authenticator or (when I got my yubikey) a yubikey. So even if a attacker is successful to break Drupal, the coins are still save.
Next thing you could say, how about the daemon or any other password (like the Google Authenticator secret).
They are all stored with 256 bit AES encryption with a random password stored on the file system, not in the database! So even if the attacker is successful to break your phpMyAdmin and can get the database, he wold need years to get the passwords controlling the daemon or the Google Authenticator secret. If he gets access to your server (I mean real access not over FTP. The key file is not stored at a place reachable via FTP), had find your AES key, he would still need your database (supposed the daemons are running on different systems!).
In summary: You are right. Drupal, as any complex software, has security problems.
But rather than giving up, doing nothing, you can start fixing these defects. I think of the possibilities Drupal would bring to bitcoin. I leave the dreaming for you.
I do not say my software is perfect or 100% secure. Therefore, I try to receive some feedback in how to make it more secure.
You want to help?
Best
edit:
Thing I forgot to mention, because they are more technical:
I like Drupal's module development because of their hooks. I also provide several hooks in my module to enable other modules to add additional security. That's they way, how the Google Authenticator or yubikey is realized.
thank you for your feedback and concerns. I can agree with you partly.
You are right saying Drupal had serious security problems. I am allowed to take your argument in the following way?
Windows has a bad security history. Taking it for anything related to Bitcoin (even storing your private wallet) is a big security issue.
However, this would ignore the progress Windows made over year and even members of the Linux community have to admit, that Windows made important steps being more secure. The same holds for Drupal (http://www.itworld.com/security/157395/joomla-or-drupal-which-cms-handles-security-best?page=0,5). It would not be so widely used (even Symantec), if it would not be secure to a certain level. The bigger problem today is the site owner, who uses insure passwords or FTP to manage his site. So I cannot agree with you fully.
In my opinion, every complex software will have security problems. Drupal had already gone this painful way, most of the recently used Bitcoin related software not. How you can explain the security problems of Bitcoinica, Bitskalper, or any other more complex site? They are not using a framework with a bad security history. However, they were programmed from scratch bring the same security flaws as Drupal had. For Bitcoinnica it was a hard-coded password, if I remember correctly. Simple software as for example a mining pool can be very safe, since the complexity can be overlooked by one person.
Now the the point were I partly agree with you. Since we do not know, what security problems Drupal may still have, I do not relay only on Drupal. All withdraws (the most important to secure) need a 2 factor authorization. First is of course the Drupal login. Second a Google Authenticator or (when I got my yubikey) a yubikey. So even if a attacker is successful to break Drupal, the coins are still save.
Next thing you could say, how about the daemon or any other password (like the Google Authenticator secret).
They are all stored with 256 bit AES encryption with a random password stored on the file system, not in the database! So even if the attacker is successful to break your phpMyAdmin and can get the database, he wold need years to get the passwords controlling the daemon or the Google Authenticator secret. If he gets access to your server (I mean real access not over FTP. The key file is not stored at a place reachable via FTP), had find your AES key, he would still need your database (supposed the daemons are running on different systems!).
In summary: You are right. Drupal, as any complex software, has security problems.
But rather than giving up, doing nothing, you can start fixing these defects. I think of the possibilities Drupal would bring to bitcoin. I leave the dreaming for you.
I do not say my software is perfect or 100% secure. Therefore, I try to receive some feedback in how to make it more secure.
You want to help?
Best
edit:
Thing I forgot to mention, because they are more technical:
I like Drupal's module development because of their hooks. I also provide several hooks in my module to enable other modules to add additional security. That's they way, how the Google Authenticator or yubikey is realized.
Drupal wins big-time on convenience, it's the right tool for a lot of web stuff and it does enable people to setup complex sites with a minimum of effort.
HOWEVER - It has a bad security history. I doubt it's the right framework to build sites that handle BitCoins or any other things that can be quickly converted to cash.
Here an tested example PHP script in how to access the API. The API supports xml and json as posting content (no form parameters since they break the content encoding which makes a proper verification of the signed content impossible). Of course you need an API key. You can receive it from the website. Login into your account and generate a new code. This is basicly an openssl private key. Save it at a secure location, otherwise you will not be able to access the API anymore.
Basic steps:
- First get a proper login session and use the sessionid for all other request (no access to api without login).
- GET you accounts (define in the header the return content type, default is xml)
- For POST (withdraw) prepare the data like address and amount, sign the content with your private key, put everything into an proper post (xml or json) and post it at the correct account URL. You will receive messages telling you whats going on.
here the code:
/*
* Server REST - user.login
*/
// REST Server URL
$request_url = 'http://exchange.zapto.org/api/user/login';
// User data
$user_data = array(
'username' => 'name',
'password' => 'pass',
);
$user_data = json_encode($user_data);
// cURL
$curl = curl_init($request_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-Type: application/json')); // Accept JSON response
curl_setopt($curl, CURLOPT_POSTFIELDS, $user_data); // Set POST data
curl_setopt($curl, CURLOPT_HEADER, FALSE); // Ask to not return Header
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_FAILONERROR, TRUE);
$response = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
// Check if login was successful
if ($http_code == 200) {
// Convert json response as array
$logged_user = json_decode($response);
}
else {
// Get error msg
$http_message = curl_error($curl);
die($http_message);
}
echo 'Login successful';
// Define cookie session
$cookie_session = $logged_user->session_name . '=' . $logged_user->sessid;
$index_url = 'http://exchange.zapto.org/api/ccaccount';
$curl = curl_init($index_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'GET');
curl_setopt($curl, CURLOPT_COOKIE, "$cookie_session"); // use the previously saved session
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json')); // Accept JSON response
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
$response = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
// Check if login was successful
if ($http_code == 200) {
// Convert json response as array
$accounts = json_decode($response);
}
else {
// Get error msg
$http_message = curl_error($curl);
die($http_message);
}
/*
* Server REST - ccaccount.withdraw
*/
// Withdraw parameters
$id = '' ;
// the address where to send to coins
$withdraw_address = 'LZaau3jFx7wMP6hMrH3UsxBiLk4R6q6uFF';
// the amount
$amount = '20.0';
// a timestamp
$timestamp = time();
// Build the data string to sign
$data = $id."_". $withdraw_address ."_".$amount."_".$timestamp;
// variable which holds the signature
$signature = '';
// let openssl sign our data with the key provided in file (the one received from the server)
openssl_sign($data, $signature, file_get_contents('/home/klinkigt/code/drupal/cryptocoin/modules/cryptocoin_api/martin.pem'));
// REST Server URL
$request_url = 'http://exchange.zapto.org/api/ccaccount/'.$id.'/withdraw';
// Withdraw data
// base64 encode the signature once!
// id is not read from the array! call the proper URI including the account id
$withdraw_data = array(
'withdraw_address' => $withdraw_address,
'amount' => $amount,
'timestamp' => $timestamp,
'sign' => base64_encode($signature),
);
$withdraw_data = json_encode($withdraw_data);
// cURL
$curl = curl_init($request_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_POSTFIELDS, $withdraw_data); // Set POST data
curl_setopt($curl, CURLOPT_HEADER, FALSE); // Ask to not return Header
curl_setopt($curl, CURLOPT_COOKIE, "$cookie_session"); // use the previously saved session
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_FAILONERROR, TRUE);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-Type: application/json')); // Accept JSON response
$response = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
// Check if login was successful
if ($http_code == 200) {
// Convert json response as array
$withdraw = json_decode($response);
}
else {
// Get error msg
$http_message = curl_error($curl);
die($http_message);
}
print_r($withdraw);
Basic steps:
- First get a proper login session and use the sessionid for all other request (no access to api without login).
- GET you accounts (define in the header the return content type, default is xml)
- For POST (withdraw) prepare the data like address and amount, sign the content with your private key, put everything into an proper post (xml or json) and post it at the correct account URL. You will receive messages telling you whats going on.
here the code:
Code:
/*
* Server REST - user.login
*/
// REST Server URL
$request_url = 'http://exchange.zapto.org/api/user/login';
// User data
$user_data = array(
'username' => 'name',
'password' => 'pass',
);
$user_data = json_encode($user_data);
// cURL
$curl = curl_init($request_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-Type: application/json')); // Accept JSON response
curl_setopt($curl, CURLOPT_POSTFIELDS, $user_data); // Set POST data
curl_setopt($curl, CURLOPT_HEADER, FALSE); // Ask to not return Header
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_FAILONERROR, TRUE);
$response = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
// Check if login was successful
if ($http_code == 200) {
// Convert json response as array
$logged_user = json_decode($response);
}
else {
// Get error msg
$http_message = curl_error($curl);
die($http_message);
}
echo 'Login successful';
// Define cookie session
$cookie_session = $logged_user->session_name . '=' . $logged_user->sessid;
$index_url = 'http://exchange.zapto.org/api/ccaccount';
$curl = curl_init($index_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'GET');
curl_setopt($curl, CURLOPT_COOKIE, "$cookie_session"); // use the previously saved session
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json')); // Accept JSON response
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
$response = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
// Check if login was successful
if ($http_code == 200) {
// Convert json response as array
$accounts = json_decode($response);
}
else {
// Get error msg
$http_message = curl_error($curl);
die($http_message);
}
/*
* Server REST - ccaccount.withdraw
*/
// Withdraw parameters
$id = '
// the address where to send to coins
$withdraw_address = 'LZaau3jFx7wMP6hMrH3UsxBiLk4R6q6uFF';
// the amount
$amount = '20.0';
// a timestamp
$timestamp = time();
// Build the data string to sign
$data = $id."_". $withdraw_address ."_".$amount."_".$timestamp;
// variable which holds the signature
$signature = '';
// let openssl sign our data with the key provided in file (the one received from the server)
openssl_sign($data, $signature, file_get_contents('/home/klinkigt/code/drupal/cryptocoin/modules/cryptocoin_api/martin.pem'));
// REST Server URL
$request_url = 'http://exchange.zapto.org/api/ccaccount/'.$id.'/withdraw';
// Withdraw data
// base64 encode the signature once!
// id is not read from the array! call the proper URI including the account id
$withdraw_data = array(
'withdraw_address' => $withdraw_address,
'amount' => $amount,
'timestamp' => $timestamp,
'sign' => base64_encode($signature),
);
$withdraw_data = json_encode($withdraw_data);
// cURL
$curl = curl_init($request_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_POSTFIELDS, $withdraw_data); // Set POST data
curl_setopt($curl, CURLOPT_HEADER, FALSE); // Ask to not return Header
curl_setopt($curl, CURLOPT_COOKIE, "$cookie_session"); // use the previously saved session
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_FAILONERROR, TRUE);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-Type: application/json')); // Accept JSON response
$response = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
// Check if login was successful
if ($http_code == 200) {
// Convert json response as array
$withdraw = json_decode($response);
}
else {
// Get error msg
$http_message = curl_error($curl);
die($http_message);
}
print_r($withdraw);
Hi,
I am devoloping some Drupal modules. For those who do not know what Drupal is (http://drupal.org):
My target is to bring cryptocoins to the Drupal community that it can be used to pay for content etc. I am plaing to release the code as open source but before I do so, I would like to have some more data about the performance, stability and most important security etc. This I can hardly test sufficiently by only working on my local system. Therefore, I also build up a small cryptocoin exchange for Bitcoin, Litecoin and when the client finished syncing also Namecoin. There are still some things to fix, so I let you know this in advance, before I receive complaning:
- The site is running on a decicaded VPS but is not that performant (as said I would like to reach the limit of the server sooner than later)
- The website will not show you any transactions (I had no time to code it). But your funds will be in your account after 3 confirmations for bitcoin and after 5 for litecoin. (you can use the update balance button)
- I try to use AJAX where possible and where Drupal let me. If something is strange and did not work, then please reload the website. Normally a message should appear at the top.
Now to the features:
- Using Twitters Bootstrap theme which provides a great interface for normal PC and mobile devices
- btc-e.com style trading
- API for listing of your accounts and remote withdraw signed via openSSL (see below for more information)
- Trading API in preparation (mainly needs time for documentation)
- Uses Google Authenticator for withdraw confirmation (when not using the API)
- Commission fee 0.1%
Further work:
- Finish trading API
- Providing login with a YubiKey. (I have none so I cannot use the official API nor I have resources to set up a local server right now)
- Using openID as login system? (is anyone using openID at all?)
The website: http://exchange.zapto.org
While the exchange is running, I will finish the work on the core code. This is mainly the display of transactions (the processing is working). Furthermore, some fixes in the AJAX and a comprehensive documentation. The documentation will take the most time I guess.
After that I would like to pass the code for a review to other developers who may also use Drupal or have no trouble in setting up a local test system. After including their feedback I will release the code for the code module.
Best
edit:
Server does not send email. registration is open to everybody. If you receive messages concerning email, please ignore them for now. I will take care of this later.
I am devoloping some Drupal modules. For those who do not know what Drupal is (http://drupal.org):
Quote
Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.
My target is to bring cryptocoins to the Drupal community that it can be used to pay for content etc. I am plaing to release the code as open source but before I do so, I would like to have some more data about the performance, stability and most important security etc. This I can hardly test sufficiently by only working on my local system. Therefore, I also build up a small cryptocoin exchange for Bitcoin, Litecoin and when the client finished syncing also Namecoin. There are still some things to fix, so I let you know this in advance, before I receive complaning:
- The site is running on a decicaded VPS but is not that performant (as said I would like to reach the limit of the server sooner than later)
- The website will not show you any transactions (I had no time to code it). But your funds will be in your account after 3 confirmations for bitcoin and after 5 for litecoin. (you can use the update balance button)
- I try to use AJAX where possible and where Drupal let me. If something is strange and did not work, then please reload the website. Normally a message should appear at the top.
Now to the features:
- Using Twitters Bootstrap theme which provides a great interface for normal PC and mobile devices
- btc-e.com style trading
- API for listing of your accounts and remote withdraw signed via openSSL (see below for more information)
- Trading API in preparation (mainly needs time for documentation)
- Uses Google Authenticator for withdraw confirmation (when not using the API)
- Commission fee 0.1%
Further work:
- Finish trading API
- Providing login with a YubiKey. (I have none so I cannot use the official API nor I have resources to set up a local server right now)
- Using openID as login system? (is anyone using openID at all?)
The website: http://exchange.zapto.org
While the exchange is running, I will finish the work on the core code. This is mainly the display of transactions (the processing is working). Furthermore, some fixes in the AJAX and a comprehensive documentation. The documentation will take the most time I guess.
After that I would like to pass the code for a review to other developers who may also use Drupal or have no trouble in setting up a local test system. After including their feedback I will release the code for the code module.
Best
edit:
Server does not send email. registration is open to everybody. If you receive messages concerning email, please ignore them for now. I will take care of this later.
Jump to: