0

We have a Production Drupal server serving content but some pages are broken when a pager link is clicked upon. It was found that the URL's are being changed with unrecognizable keywords. For example,

For the URL

www.foo.com/poems/case/index.html?search_api_views_fulltext=&page=2

the URL is changed to

www.foo.com/poems/case/index.html/cmd.php?search_api_views_fulltext=&page=2

Similarly, cmd.php is sometimes replaced by /contact and /www.googletagmanager.com/ns.html in the last few days.

The Drupal log has a successful GET when the link is clicked as shown below. By the looks of it, we suspect a SQL injection. What do you think?

www.foo.com/poem/case/index.html/contact?search_api_views_fulltext=&page=21&%3Bamp%2525252525253bamp%2525252525253b%2525252525253bamp%2525252525253bpage=1&%3Bamp%2525252525253bamp%2525252525253b%2525252525253bpage=1&%3Bamp%2525252525253bamp%2525252525253bpage=3&%3Bamp%2525252525253bpage=2&%3Bpage=3 HTTP/1.1" 200 19997

Lego
  • 465
  • 4
  • 7
  • 12
  • 1
    I don't see any SQL injection there. What happened when you inspected the filesystem for things that shouldn't be there? – Michael Hampton Feb 01 '17 at 03:51
  • We searched the entire DB on production for the string “cmd.php”. It only appeared in two tables. Being in table-1 is a natural result of the flawed pages being visited. The flawed entries in table-2 could be a result of hack. When hackers exploit sql injection they sometimes obscure their stuff by encoding it, say into base64 making it virtually impossible to find. – Lego Feb 01 '17 at 11:13
  • That log line has nothing like SQL in it. It could be an attempt to exploit some existing Drupal security issue. – Tero Kilkanen Feb 01 '17 at 11:32
  • Any thoughts on why keywords like cmd.php or contact get inserted in the URLs while we click on certain links? – Lego Feb 01 '17 at 12:34

2 Answers2

2

This sounds possibly like a side effect of someone trying various exploits (this is common for sites to get probed event for WP vulns) and accidentally poisoning the cache of rendered content.

some examples of such issues: https://www.drupal.org/node/2847972 https://www.drupal.org/node/2819197

I'm also a little confused why any of your paths would have index.html - is that just an alias?

PWolanin
  • 21
  • 1
1

some pages are broken when a pager link is clicked upon

This sounds like an issue with

  1. Broken code for generating the pagers - is it core or a contrib? It seems broken, but not necessarily in a way that represents a security bug.
  2. Broken caching code
greggles
  • 181
  • 1
  • 12