Posted by mysteriousfea on January 15, 2013 at 11:02am
Hi everybody,
I have a problem : while people are not allowed to create accounts nor create any type of content, I am flooded with contents from anynomous users and no-type :
You can seen it here : http://img15.hostingpics.net/pics/472103Capturede769cran20130115a7681158...
These contents appear nowhere, but they overcharge my server.
I've checked all my user permissions, and no one should be able to post content without being logged !
Could that be a security issue?
Thank you !
Max
Comments
Kind of content
I couldn't tell from your screenshot - are they comments or nodes that are being created?
The first thing I would do is look at the IP address that is posting - sometimes that sheds some light.
James Oakley … my Drupal sites
OakHosting.NET | Oakleys.org.uk | Mandelbrot Explorer | Mary Oakley's Books
Indeed, check the IP
Indeed, check the IP address:
Reports > Recent log messages > [filter by Type: 'content'] > [click a message, see 'Hostname']
I bet it's 127.0.0.1 - e.g., these nodes are generated by some broken code on the site itself, not by outside users.
Thanks for your answer. Well,
Thanks for your answer.
Well, there is no "content" message in my logs... It's very weird, isn't it ?
Well, that's actually further
Well, that's actually further proof those nodes were created not from user interface. (the log message is added by node_form_submit)
So there must be some code somewhere that does
node_save()directly.Is there anything in the logs
Is there anything in the logs at the time these nodes / comments were created? (You still haven't clarified that are talking about nodes rather than comments). If they are nodes, what type of node are they?
James Oakley … my Drupal sites
OakHosting.NET | Oakleys.org.uk | Mandelbrot Explorer | Mary Oakley's Books
That's the weird thing : they
That's the weird thing : they are content of no type. The type column is empty. I suppose they are nodes and not comments, since they appear in admin/content.
When I try to edit one of them, I'm prompted :
Notice : Undefined index: article_node_form dans drupal_retrieve_form() (ligne 763 dans /homepages/12/d417485737/htdocs/includes/form.inc).Warning : call_user_func_array() [function.call-user-func-array]: First argument is expected to be a valid callback, 'article_node_form' was given dans drupal_retrieve_form() (ligne 798 dans /homepages/12/d417485737/htdocs/includes/form.inc).
At the exact time they are created, I see in the logs that a Cron task is launched. The backup-migrate task didn't work because of a file permission problem, which I just solved. There is also a job scheduler task.
I wanted to run manually the Cron to see if it generated new unwanted contents (now that the problem is solved), but it doesn't work anymore ! I get :
Fatal error: Unsupported operand types in /homepages/12/d417485737/htdocs/modules/node/node.module on line 1368Definitely a bug in your code
This is definitely a bug in your code, not a hacker who is posting content and bypassing their lack of authorisation. If an anonymous user had found a way to create content on the site, the result would have one of your real content types.
It's hard to say what the flaw could be. Do you have any nodes that use the PHP content type, or have you created any rules / triggers that might run PHP code when they are executed? Have you got any modules in there that you've written yourself, or any templates that have customised code? Something very strange is going on - but it's not a security flaw.
James Oakley … my Drupal sites
OakHosting.NET | Oakleys.org.uk | Mandelbrot Explorer | Mary Oakley's Books
I can recreate this by using
I can recreate this by using a fresh drupal with features and uuid. when I enable the "UUID default entities example" in Features the exact same happens. Additionally a user mohamed is created.
So maybe you enabled some feature set?