On October 11th, there was a Public Service Announcement (PSA) from the Drupal.org Security Team. This PSA was intended to alert everyone managing a Drupal 7 or Drupal 8 website that Spammers had been found uploading files to Drupal websites and then linking too these files from other websites as a method of gaining an artificial SEO “boost”.
Agileware have audited all the Drupal websites that Agileware support and adjusted the Drupal website configuration, where needed to prevent this issue from occurring. You will have seen an activity entry in the Drupal Support, Activity Report which corresponds to this work.
However, it is important to understand the two features that Spammers are taking advantage of, these are:
Unfortunately, this gives Spammers a 6 hour window with which to receive the artificial SEO “boost”. It is also an opportunity for Google to discover this URL, detect the Spam and flag your website as being “hacked”. This is far from great, because a security warning will appear in Google search results whenever your website is listed and even when someone visits your website (using a Google Chrome Browser). Potential for serious damage to your organisations brand, trust and reputation.
To avoid this situation for your website:
The above rule also applies for any other Form which you may be using on Drupal for receiving public, unauthenticated content.
Longer term, Drupal needs to include a change reducing the default 6 hour time period, which triggers the temporary files to be removed. 15 minutes or 1 hour should be sufficient. Or this option should be configurable on a per website basis. Ultimately, Drupal’s entire handling of temporary files (as in this case) needs to be improved. It is reasonable to expect that temporary files should not be accessible at all via a public URL for any period of time. Update 1st November: a new issue has been created to address the temporary file issue in Drupal 7 and 8 see https://www.drupal.org/node/2817427
You can read the full announcement here on drupal.org, https://www.drupal.org/psa-2016-003
Director at Agileware. Justin has been developing and supporting software since the 90s. A strong advocate free software and consumer rights.
The Agileware office is located in Canberra, providing services locally and around the world. Talk to us today and we'll help you find a solution that works for your organisation.