Skip to main content

New Malware Injection Method: PDF Upload Fields

Recently we discovered a new threat affecting our Drupal website clients, specifically those with web forms (also known as the webform module) that contain a file upload field. It is not uncommon for a site to collect a file such as an image or PDF via their website to better communicate with their visitors. Because this is a standard feature and often open to the public, it has become a target for malware. This particular threat involves the upload of a PDF through a web form.

The webform module's default file storage location is open to the public. This means that the file can be accessed directly, and the attacker uses this open access to share the file with others. It's similar to a real-life infection; the site is used as a host to spread to other users. Not only does this endanger the site's visitors, it threatens the site's reputation; as search engines will block traffic to a website that is serving malware. WebClinic Pro has neutralized this threat for our current clients. The first precaution we have in place is to set the file upload location to 'private'. A user must be logged in to the site to access a private location, so this prevents the public from downloading the malicious file. By isolating the file in a private directory the site can't be used as a malware host. However, this does not prevent the website owner from downloading the file.

To protect the website owner we have added several security features that scan the file for malware signatures and block bots from using the web form. The malware scan will prevent malware from being uploaded, but website owners should remain cautious when downloading files from their web form. If it looks suspicious please notify us.

It is important to us to inform our clients of these threats and ensure them they are in good hands. If you have any questions about this threat or the steps taken to prevent it, please give us a call at (800) 771-3950.