By Woggers on
Running Drupal 6.x and we noticed today that about 4 pieces of content on our site were modified from a random IP address. The author was changed "anonymous" by deleting the original author and the TITLE and BODY were changed to what I can only described as advertising spam content.
How could this possibly happen when anonymous users do not have access to edit content? Any ideas?
Comments
I saw it too on my site
More over, anonymous was able to add content to a restricted CCK content type.
when I traced the IP, it was some spam generator in Uganda.
Can anyone explain this?
Are all of your modules and
Are all of your modules and core up to date?
Yes.
Yes.
Apperently I'm not the only one hit
In my website I have a CCK content type named volunteer opportunities.
What we noticed today is that an anonymous user with no permission to access or edit this content type managed to add a new entry and change few others.
The entry added was called "Crabfishday" and its content was the following comment: "I agree with the post above and I will grab more information from google google".
The last 2 googles where an hyperlink to www.google.pi which is an empty link.
if you google this up you will notice that the same comment was posted on many other drupal sites:
this is mine: http://shalombc.org/Langley%20Arts%20Council%20Volunteer%20Opp
what is interesting is the addition of view and edit tabs.
Other sites:
http://www.bulimiahelp.org/community/forums/crabfishday
http://www.sit.polytechnic.edu.na/?q=node/159 - also with view and edit tabs enabled
http://www.amazonia-andina.org/en/content/crabfishday - also with view and edit tabs enabled
http://www.paulblackthorne.com/node/143
http://forum.realmagick.com/viewtopic.php?f=3&t=2533
http://www.ujnews.com/event-calendar/?q=node/149 - also with view and edit tabs enabled
This is just from the first result page that google returned.
Do we have a CCK security breach in Drupal ...
My gut tells me that stuf
My gut tells me that stuf like this is usually more of a user error than an actual exploit. However, if you think there is in fact an exploit, the proper place to be discussing it is the issue queue http://drupal.org/project/issues/drupal?categories=All
Now that I look at the links you have provided, it appears to be a user error to me.
For example, http://www.sit.polytechnic.edu.na/?q=node/159 this page. As an anonymous user, I am able to edit that page. That is a security problem. If you are not logged into the site, and you have access to the "Edit" tab, it isn't an exploit. It is a case of you not properly setting up permissions.
As for the other examples, some of them are not drupal sites. And some of them appear to be sites that you can simply join and post content. In which case, a bot can spam you. Based on what I've seen on the examples you've provided, there is no evidence that this is an exploit.
RE: My gut tells me that stuf
Thanks for the reply Kirk,
I'll try to be more specific as to what happens:
Firstly, you are right, not all the links are Drupal sites, the PHPBB site is not Drupal.I put this site there just to show that there is a robot spammer that targets all sites.The rest of the sites however, are Drupal sites.
Looking at the track information logs at my site I was able to get to a Ugandian spam bot.
Now for the symptoms and why I think this is not a user mistake but rather an exploit:
1. The "CrabFishDay" listing was not added by the organization staff, it suddenly appeared out of nowhere in one of the views.
2. Looking at the content listing of this new content author was "anonymous" which by the permissions of our website is not allowed to create any content, just view.
3. The appearance of the View/Edit Tabs is also strange because we do not display those tabs to anyone but the staff of the organization that adds the content and has a special user role for editing content with the relevant permissions.
4. This is not the only content that was changed/added by the anonymous user, we had more new listings and changes to listings we took off and suddenly re-appeared.
5. As far as I could see, the changes seem to be only with new CCK defined user types which have a location module fields associated with them.
6. I would agree this is some sort of misconfiguration if I had seen it only on my site, but as it happens it appears in many sites (mostly Drupal ones) the as a comment or a new listing. I have a suspicion that when the comments are disabled for the content types ( as it is in our site ) a new listing is created.
I want to add the in our site the default input format for all the user (including anonymous) is full HTML which might caused this breach ( I already reversed it back to filtered HTML).
As for reporting, I already sent an e-mail to the security team with a link to this posting.
You might be right. But as
You might be right. But as for your issue #6, with the exception of one site that you linked, every single one of them allowed anonymous users to edit content, or for simple user registration for a user to post content. So based on the examples you have provided, you have shown no actual evidence.
Your site, is the only one that presumably has been exploited, assuming of course your security settings are correct. It also seems strange to me that no one else is having this pop up. I would expect something like this to be much more wide spread.
Hopefully you're wrong on this one, and hopefully you figure out the cause of your issue.
Yes - I hope you are right too,
The only thing that strikes me as odd is the tabs view/edit tabs that appear with the anonymous user.
I cannot explain it for my site (and I'm not new to Drupal).
BTW, not all sites missed it, when I was googling the "crabfishday" I came across sites that noticed it and removed the new listing ( you coud see it in the google result teaser but the link was missing on site itself ).
I'm leaving mine posted until I hear something from the security team or I can figure this for myself. I will update once I have results.
Yeah, the more I look at
Yeah, the more I look at this, the more the results on Google are all obviously a result of bad permissions. In fact, I haven't found one instance where that isn't obviously the case.
In some cases they edited the node. In other cases, they registered an account and made a forum post or posted a comment.
I went through 5 pages of results on Google and couldn't find one that wasn't easily explained. They were almost all either Drupal nods that were edited, or they were phpBB's with spam posts. Interestingly, the vast majority of these are sites outside of the US.
What's most likely is that someone wrote a bot that looks for drupal sites, and active "edit" links.
To further add to your last comment
The scenario you are describing might be true for the sites you checked, however, it does not apply to ours since we disabled the automatic account creation.
Any user who wants to register with us is added manually by the organization staff via the administration pages.
You are correct about the spammer, after looking at the logs of the website I managed to find and verify the spammer bot by its IP address:
http://www.projecthoneypot.org/ip_193.219.219.244
I also noticed that there where few common settings of the nodes that where hit by this spammer:
1. They where all custom CCK content types with location module fields.
2. They were all with comments enabled (probably the default settings I put to disable comments were overridden by one of the sites staff).
3. All nodes were marked as private (using the private module).
I suspect that between these 4 modules (private,CCK,location and comments) we have some sort of a security "hole", however I cannot say this with 100% certainty.