CMS Made Simple Forums

Posted: **Fri Aug 29, 2014 11:28 am**

Hi,
I am using 1.11.10 and pretty URLs.
Given a page named test, it is accessible using its:

* Page alias, e.g. /test
* Page URL, e.g. /testfolder/test
* Page ID, e.g. /25 (if that is the page id for the test page)

But, the following form also works:

* /aaaa/test
* /aaaa/bbbb/test

and so on.

This is undesirable, because a member of the public could publis a URL to our side along the lines of
/ThisCompanyAllowsMeTo/CreateURLSThatAreOffensive/test

How can we stop this kind of behavior?

This also affects modules like Search and News for instance.

Posted: **Sat Aug 30, 2014 10:41 pm**

This has been raised before. I don't think there is a way to prevent it except switching off pretty URLs.

You can add this code to your template(s) to add the canonical URL for the page in the HEAD:

Code: Select all

{if isset($canonical)}<link rel="canonical" href="{$canonical}" />{elseif isset($content_obj)}<link rel="canonical" href="{$content_obj->GetURL()}" />{/if}

Search engines will then know the correct URL for the page.

It's not strictly a security issue. More a URL vanity issue IMHO.

Posted: **Sat Aug 30, 2014 10:56 pm**

paulbaker wrote:It's not strictly a security issue.

Exactly: not a security issue. It can be seen as a "hackish" way of linking from an external site to a page in a CMSMS site.

paulbaker wrote:This has been raised before. I don't think there is a way to prevent it except switching off pretty URLs.

True! Look at this post: http://forum.cmsmadesimple.org/viewtopi ... 8&p=279909
It's a secondary effect of the versatility CMSMS offers, and with canonical URL's properly setup, your SEO ranks wont be affected.

CMS Made Simple Forums

Security issue - users can manipulate the URL

Security issue - users can manipulate the URL

Re: Security issue - users can manipulate the URL

Re: Security issue - users can manipulate the URL