Exchange based on Drupal modules

[mugen]

Hi,

I am devoloping some Drupal modules. For those who do not know what Drupal is (http://drupal.org):

Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.

My target is to bring cryptocoins to the Drupal community that it can be used to pay for content etc. I am plaing to release the code as open source but before I do so, I would like to have some more data about the performance, stability and most important security etc. This I can hardly test sufficiently by only working on my local system. Therefore, I also build up a small cryptocoin exchange for Bitcoin, Litecoin and when the client finished syncing also Namecoin. There are still some things to fix, so I let you know this in advance, before I receive complaning:

 - The site is running on a decicaded VPS but is not that performant (as said I would like to reach the limit of the server sooner than later)
 - The website will not show you any transactions (I had no time to code it). But your funds will be in your account after 3 confirmations for bitcoin and after 5 for litecoin. (you can use the update balance button)
 - I try to use AJAX where possible and where Drupal let me. If something is strange and did not work, then please reload the website. Normally a message should appear at the top.

Now to the features:

 - Using Twitters Bootstrap theme which provides a great interface for normal PC and mobile devices
 - btc-e.com style trading
 - API for listing of your accounts and remote withdraw signed via openSSL (see below for more information)
 - Trading API in preparation (mainly needs time for documentation)
 - Uses Google Authenticator for withdraw confirmation (when not using the API)
 - Commission fee 0.1%

Further work:
 - Finish trading API
 - Providing login with a YubiKey. (I have none so I cannot use the official API nor I have resources to set up a local server right now)
 - Using openID as login system? (is anyone using openID at all?)


The website: http://exchange.zapto.org


While the exchange is running, I will finish the work on the core code. This is mainly the display of transactions (the processing is working). Furthermore, some fixes in the AJAX and a comprehensive documentation. The documentation will take the most time I guess.
After that I would like to pass the code for a review to other developers who may also use Drupal or have no trouble in setting up a local test system. After including their feedback I will release the code for the code module.

Best

edit:
Server does not send email. registration is open to everybody. If you receive messages concerning email, please ignore them for now. I will take care of this later.

[mugen]

Here an tested example PHP script in how to access the API. The API supports xml and json as posting content (no form parameters since they break the content encoding which makes a proper verification of the signed content impossible). Of course you need an API key. You can receive it from the website. Login into your account and generate a new code. This is basicly an openssl private key. Save it at a secure location, otherwise you will not be able to access the API anymore.

Basic steps:
 - First get a proper login session and use the sessionid for all other request (no access to api without login).
 - GET you accounts (define in the header the return content type, default is xml)
 - For POST (withdraw) prepare the data like address and amount, sign the content with your private key, put everything into an proper post (xml or json) and post it at the correct account URL. You will receive messages telling you whats going on.

here the code:

Code:

<?php

/*
 * Server REST - user.login
 */

// REST Server URL
$request_url = 'http://exchange.zapto.org/api/user/login';

// User data
$user_data = array(
  'username' => 'name',
  'password' => 'pass',
);
$user_data = json_encode($user_data);

// cURL
$curl = curl_init($request_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-Type: application/json')); // Accept JSON response
curl_setopt($curl, CURLOPT_POSTFIELDS, $user_data); // Set POST data
curl_setopt($curl, CURLOPT_HEADER, FALSE);  // Ask to not return Header
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_FAILONERROR, TRUE);

$response = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);


// Check if login was successful
if ($http_code == 200) {
  // Convert json response as array
  $logged_user = json_decode($response);
}
else {
  // Get error msg
  $http_message = curl_error($curl);
  die($http_message);
}

echo 'Login successful';

// Define cookie session
$cookie_session = $logged_user->session_name . '=' . $logged_user->sessid;

$index_url = 'http://exchange.zapto.org/api/ccaccount';

$curl = curl_init($index_url);

curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'GET');
curl_setopt($curl, CURLOPT_COOKIE, "$cookie_session"); // use the previously saved session
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json')); // Accept JSON response
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);

$response = curl_exec($curl);

$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);

// Check if login was successful
if ($http_code == 200) {
  // Convert json response as array
  $accounts = json_decode($response);
}
else {
  // Get error msg
  $http_message = curl_error($curl);
  die($http_message);
}

/*
 * Server REST - ccaccount.withdraw
 */

// Withdraw parameters

$id = '<some account id>';
// the address where to send to coins
$withdraw_address = 'LZaau3jFx7wMP6hMrH3UsxBiLk4R6q6uFF';
// the amount
$amount = '20.0';
// a timestamp
$timestamp = time();

// Build the data string to sign
$data = $id."_". $withdraw_address ."_".$amount."_".$timestamp;


// variable which holds the signature
$signature = '';

// let openssl sign our data with the key provided in file (the one received from the server)
openssl_sign($data, $signature, file_get_contents('/home/klinkigt/code/drupal/cryptocoin/modules/cryptocoin_api/martin.pem'));


// REST Server URL
$request_url = 'http://exchange.zapto.org/api/ccaccount/'.$id.'/withdraw';

// Withdraw data
// base64 encode the signature once!
// id is not read from the array! call the proper URI including the account id
$withdraw_data = array(
  'withdraw_address' => $withdraw_address,
  'amount' => $amount,
  'timestamp' => $timestamp,
  'sign' => base64_encode($signature),
);
$withdraw_data = json_encode($withdraw_data);


// cURL
$curl = curl_init($request_url);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_POSTFIELDS, $withdraw_data); // Set POST data
curl_setopt($curl, CURLOPT_HEADER, FALSE);  // Ask to not return Header
curl_setopt($curl, CURLOPT_COOKIE, "$cookie_session"); // use the previously saved session
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_FAILONERROR, TRUE);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Accept: application/json', 'Content-Type: application/json')); // Accept JSON response

$response = curl_exec($curl);
$http_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);

// Check if login was successful
if ($http_code == 200) {
  // Convert json response as array
  $withdraw = json_decode($response);
}
else {
  // Get error msg
  $http_message = curl_error($curl);
  die($http_message);
}

print_r($withdraw);

[sd]

Drupal wins big-time on convenience, it's the right tool for a lot of web stuff and it does enable people to setup complex sites with a minimum of effort.

HOWEVER - It has a bad security history. I doubt it's the right framework to build sites that handle BitCoins or any other things that can be quickly converted to cash.

[mugen]

Hi,

thank you for your feedback and concerns. I can agree with you partly.
You are right saying Drupal had serious security problems. I am allowed to take your argument in the following way?

Windows has a bad security history. Taking it for anything related to Bitcoin (even storing your private wallet) is a big security issue.

However, this would ignore the progress Windows made over year and even members of the Linux community have to admit, that Windows made important steps being more secure. The same holds for Drupal (http://www.itworld.com/security/157395/joomla-or-drupal-which-cms-handles-security-best?page=0,5). It would not be so widely used (even Symantec), if it would not be secure to a certain level. The bigger problem today is the site owner, who uses insure passwords or FTP to manage his site. So I cannot agree with you fully.

In my opinion, every complex software will have security problems. Drupal had already gone this painful way, most of the recently used Bitcoin related software not. How you can explain the security problems of Bitcoinica, Bitskalper, or any other more complex site? They are not using a framework with a bad security history. However, they were programmed from scratch bring the same security flaws as Drupal had. For Bitcoinnica it was a hard-coded password, if I remember correctly. Simple software as for example a mining pool can be very safe, since the complexity can be overlooked by one person.

Now the the point were I partly agree with you. Since we do not know, what security problems Drupal may still have, I do not relay only on Drupal. All withdraws (the most important to secure) need a 2 factor authorization. First is of course the Drupal login. Second a Google Authenticator or (when I got my yubikey) a yubikey. So even if a attacker is successful to break Drupal, the coins are still save.

Next thing you could say, how about the daemon or any other password (like the Google Authenticator secret).
They are all stored with 256 bit AES encryption with a random password stored on the file system, not in the database! So even if the attacker is successful to break your phpMyAdmin and can get the database, he wold need years to get the passwords controlling the daemon or the Google Authenticator secret. If he gets access to your server (I mean real access not over FTP. The key file is not stored at a place reachable via FTP), had find your AES key, he would still need your database (supposed the daemons are running on different systems!).

In summary: You are right. Drupal, as any complex software, has security problems.
But rather than giving up, doing nothing, you can start fixing these defects. I think of the possibilities Drupal would bring to bitcoin. I leave the dreaming for you.

I do not say my software is perfect or 100% secure. Therefore, I try to receive some feedback in how to make it more secure.

You want to help?

Best

edit:
Thing I forgot to mention, because they are more technical:
I like Drupal's module development because of their hooks. I also provide several hooks in my module to enable other modules to add additional security. That's they way, how the Google Authenticator or yubikey is realized.

[sd]

In my opinion, every complex software will have security problems.

Drupal is a mass of PHP with no sandboxing or any other form of limitations placed on any module provided code. It's not insecure because it's complex software it's insecure because it's designed to be insecure. Now it might be the right tool for some websites but not for a BitCoin exchange. Any BitCoin exchange is going to have every cracker and script kiddie on the the internet trying to break it and drupal just isn't up to that.

How you can explain the security problems of Bitcoinica, Bitskalper, or any other more complex site?

These were sites managed or setup by people who were not up to the job. Bitcoinica may even have been an inside job, wasn't Zhou Tong caught handling the last lot of stolen coins?

I'm not saying Drupal is the only way to screw up, there are millions of ways to screw up without Drupal being involved.

Next thing you could say, how about the daemon or any other password (like the Google Authenticator secret).
They are all stored with 256 bit AES encryption with a random password stored on the file system, not in the database!

The password must be available for Drupal to read or it can't be used. Putting it in a filesystem instead of a database doesn't improve security. There continue to be file inclusion security issues in Drupal that would let people read this password out of your file system, for example http://drupal.org/node/1719548 was discovered just 6 days ago. There are security issues that let you run arbitrary PHP code, perform SQL injection, run remote shells and countless other forms of mischief like http://drupal.org/node/1679442 discovered around a month ago. If you use Drupal for anything that handles cash you better disable every module you don't actively need and still check for updates twice a day. Even then you could still get hit by a zero day.

Drupal by its design makes security issues more likely and it makes them more serious when they happen. This is not because it's complex software, it's because it's not designed with security in mind.

[mugen]

Hi,

thank you for the discussion. It helps to bring things in the right direction.
The two issues you posted are not in the core Drupal code and both require higher access to Drupal to create content. Creating content requires the site admin to trust the user, he is giving the rights to create content. Furthermore, one of the modules is only used by 34 sites. And of course every code the site admin installs on the server can manipulate the Bitcoin module. Even putting the module for the bitcoin access into a sandbox will not help, since this sandbox could also be created by the attacker's code.

If you use Drupal for anything that handles cash you better disable every module you don't actively need and still check for updates twice a day. Even then you could still get hit by a zero day.

This holds for all sites handling cash. The site admin should remove (disable) needles code and check for security issues. It is not a special case for Drupal.

The exchange is not the major target. The target is to enable site owners to easily integrate bitcoin. The exchange is only an example with the hope some users try it out.

Drupal by its design makes security issues more likely and it makes them more serious when they happen. This is not because it's complex software, it's because it's not designed with security in mind.

Hmm. Every PHP code running on the server can access the database, after reading the settings file of the original application to get the username and password. It is not a Drupal problem, its a PHP problem. As is am aware of it, this cannot be addressed with PHP. For this you would need some other software running on the server (maybe JSP).

Since you seem to know quite a bit about Drupal and maybe other software, do you have some other recommendation which would be more appropriate?

[MAD_MAD]

No offense, but drupal is kinda heavy-duty for an exchange. Way too much overhead, unless you are very clever and skilled (at which point you hardly need drupal anymore)

[idev]

Are you planing to open the code at all ?

[mugen]

Are you planing to open the code at all ?

Yes, I am still planing this. However, I really want to do a deep review concerning the access control and security related issues. I also looked in all security issues published for Drupal 7 (older versions do not count). Here are my considerations:

SA-CORE-2011-001 http://drupal.org/node/1168756

1 critical Reflected cross site scripting vulnerability in error handler: not critical if following the guideline for productive websites. Effects cryptocoin modules.

1 Cross site scripting vulnerability in Color module: Requires higher rights "Administer themes" Might effect cryptocoin modules

1 Bypass access to private files: Does not effect cryptocoin modules


SA-CORE-2011-002 http://drupal.org/node/1204582

1 Highly critical: Access bypass in node listings. Requires additional modules to be critical.  Does not effect cryptocoin modules


SA-CORE-2011-003 http://drupal.org/node/1231510

1 less critical: download of shared files without permissions by guessing the file name. Does not effect cryptocoin modules


SA-CORE-2012-001 http://drupal.org/node/1425084

1 denial of service in aggregator module. Does not effect cryptocoin modules

1 issue in OpenID also effects Drupal if this module is enabled (view user information), might be an issue

1 download of shared files without permissions in combination with other not core modules. Does not effect cryptocoin modules


SA-CORE-2012-002 http://drupal.org/node/1557938

critical

1 denial of service: requires higher right: "post comments" or "Forum topic: Create new content". Does not effect cryptocoin modules

1 Unvalidated form redirect: requires social engineering. Effects cryptocoin modules (of course it is social engineering)

1 Access bypass - forum listing: showing last unpublished node, even if user has no access. Does not effect cryptocoin modules

1 Access bypass - private images: view of private images without permissions. Does not effect cryptocoin modules

1 Access bypass - content administration: requires higher rights "Access the content overview page" and additional modules. Does not effect cryptocoin modules


For 4 of the reported issues the hacker may have access to the user account, but not to the administration interface. The attacker cannot control the daemon!
Concerning the user account, as said, I am think of 2 factor authorization. If an attacker can access the user account, he still cannot send the coins out.

I do not consider other modules which could cause a risk. It is like saying windows in insecure, because Adobe Acrobat has a security issue. Drupal's core is reasonable hard to attack I think.

[xchrix]

hey i cant login at your page
i do always have to reset my password. always!
what is the input field "code" meant do be?

i do also have an mtgox yubikey. is it possible to get this key working?

[Liquid]

hey i cant login at your page
i do always have to reset my password. always!
what is the input field "code" meant do be?

i do also have an mtgox yubikey. is it possible to get this key working?

+1 me also cannot login

[mugen]

hey i cant login at your page
i do always have to reset my password. always!
what is the input field "code" meant do be?

i do also have an mtgox yubikey. is it possible to get this key working?

I renamed "Code" to "Google Authenticator Code". I hope it becomes more clear. If you have setup such a Google Authenticator Code you have to provide it during login.

YubiKey:
Yes, normally you should also be able to use a mtgox yubikey on this exchange.

[xchrix]

havent provided google authenticator code
and mtgox yubikey isnt working

Code:

Error message
Sorry, unrecognized username or password. Have you forgotten your password?

[mugen]

havent provided google authenticator code
and mtgox yubikey isnt working

Code:

Error message
Sorry, unrecognized username or password. Have you forgotten your password?

to make a mtgox yubikey working you first have to assign it with your account in your user profile.
If you have not assigned anything (no google authentificator nor a yubikey) login will only require username and password.

I tried it with my own testing account and I have not problems with login, with or without 2 factor. After reseting the password you should setup a new password. The link provided in the email only works once.

best

[xchrix]

hm i think i am too stupid.

ok once again what i did exactly this way 5 minutes ago

1. reset password
2. got an email. clicked on the link
3. entered new password twice
4. message: "Status message. The changes have been saved."

i dont have provided ga or yubikey because i see this

Code:

Withdraw has been suspended for your account, since you have only setup 0 of 1 required authenticator. You may use the following authenticators to confirm your transactions:
YubiKey, Google Authenticator

5. logout
6. login again
7. error message: "Error message. Sorry, unrecognized username or password. Have you forgotten your password?"

did i do something wrong? 

[xchrix]

ok tried again. password reset.
then tried to add a yubikey (i think the mtgox keys are different?)

1. go to "yubikey idendities"
2. pressed my yubikey
3. it generates a key
4. error message

Code:

Error message
YubiKey OTP validation failed with message: NO_VALID_ANSWER

[mugen]

hm i think i am too stupid.

ok once again what i did exactly this way 5 minutes ago

1. reset password
2. got an email. clicked on the link
3. entered new password twice
4. message: "Status message. The changes have been saved."

i dont have provided ga or yubikey because i see this

Code:

Withdraw has been suspended for your account, since you have only setup 0 of 1 required authenticator. You may use the following authenticators to confirm your transactions:
YubiKey, Google Authenticator

5. logout
6. login again
7. error message: "Error message. Sorry, unrecognized username or password. Have you forgotten your password?"

did i do something wrong? 

hmm this is very strange. If I follow your steps this does not happen to me. Do you have some other errors which may cause this problem?

best
mugen

[mugen]

ok tried again. password reset.
then tried to add a yubikey (i think the mtgox keys are different?)

1. go to "yubikey idendities"
2. pressed my yubikey
3. it generates a key
4. error message

Code:

Error message
YubiKey OTP validation failed with message: NO_VALID_ANSWER

Then it seems to me, that the MtGox Yubikey is not only a special labeled one it also has branded to only work with MtGox. I am sorry for this but it seems it cannot be used for this site.

best

[xchrix]

this is ok. i dont need the yubikey
login is working now!!! veery strange.

[mugen]

this is ok. i dont need the yubikey
login is working now!!! veery strange.

good to hear, that it works now. I can only guess but maybe it is related to bringing the site in maintenance mode. During maintenance maybe all cookie sessions are canceled leading to these problems. Anyway, its good to hear, that everything is working.

best