By rhizomenetworks on

Hello,

Today when visiting my Drupal website I noticed the logo icon is not presented correctly. I checked the url an noticed that the url has been replaced!!!

Instead of having the origianl url for my website logo
www.contentglass.com/sites/default/files/logo_160x56_0.png

with the logo there was this url:
www.ps780.com/sites/default/files/logo_160x56_0.png

Trying to run the url download APK file (android application) to the file system.
There were no new registrations to the system.
No new content has been created.
The system is drupal - 7.43

Was anyone else had this problem?

Regards,
Gilad.

Categories: Drupal 7.x

Comments

vm’s picture

vm commented

no. so either your server account has been compromised or the site was compromised in some way.

rhizomenetworks’s picture

rhizomenetworks commented

Well, I suspect this is one of the installed modules.

here is the code from theme.inc line 1474 where the logo file name is taken and a full path is created: 


<?php
      // Generate the path to the logo image.
      if ($cache[$theme]['toggle_logo']) {
        if ($cache[$theme]['default_logo']) {
          $cache[$theme]['logo'] = file_create_url(dirname($theme_object->filename) . '/logo.png');
        }
        elseif ($cache[$theme]['logo_path']) {

          //this is the specific line!!!
          $cache[$theme]['logo'] = file_create_url($cache[$theme]['logo_path']);
        }
      }

?>

After calling this function the path of the logo is for example:

http://[my domain]/sites/default/files/logo_160x40.png

But instead it was: 

http://[other domain]/sites/default/files/logo_160x40.png

And this can happen if the function "file_create_url" is somehow affected!
Since problem disappear after re-save the theme, I assume it may be related with some data stored by cachedfile, and is is relation with the process of function "file_create_url" .
By changing $GLOBALS['base_url']

I will keep investigating it.

rhizomenetworks’s picture

rhizomenetworks commented

I had an incident with other website I am maintain, in which cache file that was created upon some request showed that either HTTP_HOST or SERVER_NAME has been faked by some unknown request, and the recorded value used to build links was set to www.ctrip.com instead of pointing to the correct domain of this specific website.

The result is of course that pages that uses absolute URL to load resources has not load the resources and the page recorded by cache file was look corrupted.

I think that what happen in my website is similar. Some request made by some robot or hacker call the website in a way that provide incorrect HTTP_HOST value, equals to "www.ps780.com". This cause the global $base_url to be set with this domain, and since logo file is refer with absolute url created from base_url, the logo was not shown correctly.

The code that initiate base_url from HTTP_HOST is here: bootstrap.inc::drupal_settings_initialize

....
    $http_protocol = $is_https ? 'https' : 'http';
    $base_root = $http_protocol . '://' . $_SERVER['HTTP_HOST'];

    $base_url = $base_root;
......

This of course make drupal unfavourable for any resources that uses a URL created from HTTP_HOST and in which the resource is stored in cache. Of course after cleaning the cache problem gone, as in my case.

So the question now, is how this robot/hacker fake and invalid HTTP_HOST. I will keep investigating it.

BTW: the common for these two cases is that the fake domain refer to Chinese website.

rhizomenetworks’s picture

rhizomenetworks commented

To check the possibility of affecting HTTP_HOST I added the header to some Ajax request in one of my software and surprisingly!!!
The data of this header is accepted by the server.

Given the fact that many applications can use this header to construct URL and the fact that created pages are cached, it seems to be too easy to harm a website, temporarily using the approach.

This can be prevented of course by simple line that HTTP_HOST with list of permitted domain names, for example if you have some CNAME values in the DNS that point to the same website (therefore will create different HTTP_HOST)
or using the fixed $base_url in the settings file.

.......

  if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) {
    include_once DRUPAL_ROOT . '/' . conf_path() . '/settings.php';
  }
  $is_https = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on';

  if (isset($base_url)) {
    // Parse fixed base URL from settings.php.
    $parts = parse_url($base_url);
    if (!isset($parts['path'])) {
      $parts['path'] = '';
    }
    $base_path = $parts['path'] . '/';
    // Build $base_root (everything until first slash after "scheme://").
    $base_root = substr($base_url, 0, strlen($base_url) - strlen($parts['path']));
  }
  else {
    // Create base URL.
    $http_protocol = $is_https ? 'https' : 'http';
    $base_root = $http_protocol . '://' . $_SERVER['HTTP_HOST'];

    $base_url = $base_root;
...........