Security issue - users can manipulate the URL

[cmsgenie]

Hi,
I am using 1.11.10 and pretty URLs.
Given a page named test, it is accessible using its:

• * Page alias, e.g. /test
  * Page URL, e.g. /testfolder/test
  * Page ID, e.g. /25 (if that is the page id for the test page)

But, the following form also works:

• * /aaaa/test
  * /aaaa/bbbb/test

and so on.

This is undesirable, because a member of the public could publis a URL to our side along the lines of
/ThisCompanyAllowsMeTo/CreateURLSThatAreOffensive/test

How can we stop this kind of behavior?

This also affects modules like Search and News for instance.

[paulbaker]

This has been raised before. I don't think there is a way to prevent it except switching off pretty URLs.

You can add this code to your template(s) to add the canonical URL for the page in the HEAD:

Code: Select all

{if isset($canonical)}<link rel="canonical" href="{$canonical}" />{elseif isset($content_obj)}<link rel="canonical" href="{$content_obj->GetURL()}" />{/if}

Search engines will then know the correct URL for the page.

It's not strictly a security issue. More a URL vanity issue IMHO.

[Jo Morg]

It's not strictly a security issue.

Exactly: not a security issue. It can be seen as a "hackish" way of linking from an external site to a page in a CMSMS site.

This has been raised before. I don't think there is a way to prevent it except switching off pretty URLs.

True! Look at this post: http://forum.cmsmadesimple.org/viewtopi ... 8&p=279909
It's a secondary effect of the versatility CMSMS offers, and with canonical URL's properly setup, your SEO ranks wont be affected.