Let’s say you learn of a Drupal security flaw. Let’s say it permits an unauthorized SQL injection. Let’s say you figure out how to insert a backlink into the Drupal link list using that exploit.

Drupal is a popular Open Source content management system, in use on hundreds of thousands of websites. Itis very good, and very flexible. It is free, but installation and configuration (customization) may cost a few thousdand dollars in consulting fees. Basically, it is free of licensing fees but a real, commercially used product.

So you go to Google, and search “password and instructions will be sent to this e-mail address, so make”, and you find a list of 167,000 URLs of Druapl sites. Then you hit each of the first 1000 of those with your exploit URL .. one at a time… from a free or cheap web hosting account. And then you hit a different Google datacenter for another 1,000 sites.

Or, you could have narrowed your search for on-theme websites (more valuable back links?) by adding a keyword to that Google search such as “seo”. That way you only get the best sites for your back link spam.

How long do you have to act on one of these newly-discovered security vulnerabilities? Many months, as many of the webmasters do not patch or update their Drupal installations once they are deployed. I can’t blame them too much, because once you have customized the installation there is often plenty of work required following any update process.

Often a patch can easily be applied directly to only that part of the Drupal system that was flawed. However, application developers who deploy Drupal for their clients don’t often see direct patching as economically beneficial to them, so they may try and bundle the patch in with some other unfinished (and billable) work for the client. No sale, no patch. In fact, many clients don’t even know they are running Drupal. They paid a consultant for a CMS, and got one that worked.

Spam is not rocket science. Consequently, spamming can be stopped by some simple (albeit tedious) attention to detail. Usually, we are too lazy. Do we therefore deserve to be spammed?

As I waited the two or three minutes Wordpress2 needs to post a small edit to this blog, I wondered why I was so casual about ripping backlinks out of the WordPress templates I downloaded yesterday. That issue is blog-worthy, I think. So this time, I smartly opened a second tab before hitting “save”. So while WordPress takes another 2-3 minutes to update the post slug, I can blog about stealth links in open source software.

I’ll go back and flesh out the issue later, but let’s just say there are plenty of direct backlinks hidden inside these “free” downloads. Some time ago I helped expose a case of user agent cloaking hidden within a front end re-write ruleset for the Invision Power Board forum. In that case, the author had inserted a cloaking script into the front end of a mod designed to make Invision’s forum “search engine friendly”. It quietly inserted 5 or 6 backlinks to his own pop culture websites, so only the search engines would see them. Nasty. We got him to fix it, though.

Now WordPress2 comes with a ton of themes. Each one is a set of code files, and each enjoys ample opportunity to insert backlinks. I always go and remove sitewide footer links because they are clearly not justified (except perhaps with a nofollow…haha) but this time I found myself stripping out several aditional links buried in the code. Some were in sections marked “do not edit anything here”. Some threatened “if you touch anything here, don’t even think of asking for support”. That’s fair enough, but disclosure would be much more…. ethical?

Yawn. Maybe I will start digging and see just how many free hidden backlinks are working for these people. And how many disclose, how many seem to hide the links, or gasp… maybe some or encoded? A task for a rainy day?

Alex King has promoted WordPress themes on his site for years, and gets many submissions. From this post I see some have computer virus/worms embedded, and others have hidden links. I’m not sure what the review process is today.