- Posts: 39
COMMUNITY FORUM
Fake Article Alias Abuse
- Goh Yew Hoe
-
Topic Author
- Offline
- Junior Member
Less
More
11 years 11 months ago - 11 years 11 months ago #104880
by Goh Yew Hoe
Fake Article Alias Abuse was created by Goh Yew Hoe
When Joomla SEF is enabled, the url looks like this. For example, I'll use an article from K2.
getk2.org/blog/item/993-k2-v261-now-available
But the article alias doesn't seems to be checked properly, so it can be renamed to something else and the same article still display regardless.
Say the example url above, I rename them to:
getk2.org/blog/item/993-k2-v261
getk2.org/blog/item/993-something-offensive
getk2.org/blog/item/993
It seems that as long as the itemID is in the url, the article will still display regardless of the alias. This is quite a big issue because it leads to a very possible abuse by changing the alias to something offensive then sharing the link & getting index by Google.
The correct behavior should be a 404 error when the alias doesn't match. This problem can be found on every Joomla or Joomla+K2 site, whether it's 2.5.x or 3.0.x
I see that this problem was reported recently on Joomla where the fault was pointed to component\com_content\router.php
joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=29428
github.com/joomla/joomla-cms/pull/472
Now I see that in component\com_k2 there's a router.php. as well. Does the router.php in K2 require changes as well to fix the issue? Or is this problem strictly with Joomla only?
getk2.org/blog/item/993-k2-v261-now-available
But the article alias doesn't seems to be checked properly, so it can be renamed to something else and the same article still display regardless.
Say the example url above, I rename them to:
getk2.org/blog/item/993-k2-v261
getk2.org/blog/item/993-something-offensive
getk2.org/blog/item/993
It seems that as long as the itemID is in the url, the article will still display regardless of the alias. This is quite a big issue because it leads to a very possible abuse by changing the alias to something offensive then sharing the link & getting index by Google.
The correct behavior should be a 404 error when the alias doesn't match. This problem can be found on every Joomla or Joomla+K2 site, whether it's 2.5.x or 3.0.x
I see that this problem was reported recently on Joomla where the fault was pointed to component\com_content\router.php
joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=29428
github.com/joomla/joomla-cms/pull/472
Now I see that in component\com_k2 there's a router.php. as well. Does the router.php in K2 require changes as well to fix the issue? Or is this problem strictly with Joomla only?
Please Log in or Create an account to join the conversation.
- Goh Yew Hoe
-
- Offline
- Junior Member
Less
More
- Posts: 39
11 years 11 months ago #104881
by Goh Yew Hoe
Replied by Goh Yew Hoe on topic Re: Fake Article Alias Abuse
Ok I checked the Joomla code and applied the changes to Joomla's router.php and tested proper 404 behavior on wrong alias name. But that only applies to Joomla articles.
K2 article still accepts multiple alias, so looks like K2's router.php needs to be updated for this fix as well. Any K2 developer willing to make a fix for this alias problem?
K2 article still accepts multiple alias, so looks like K2's router.php needs to be updated for this fix as well. Any K2 developer willing to make a fix for this alias problem?
Please Log in or Create an account to join the conversation.
- Goh Yew Hoe
-
- Offline
- Junior Member
Less
More
- Posts: 39
11 years 11 months ago - 11 years 11 months ago #104882
by Goh Yew Hoe
Replied by Goh Yew Hoe on topic Re: Fake Article Alias Abuse
It's strange how no one replies... as if no one cares about their site reputation. I've spent some time trying to figure out how K2 checks the url and found this in views\item\view.html.php
I was able to get the alias value with $item->alias but I have no idea how to grab the instance's alias in order to perform a check and raise 404 error if alias requested in browser is different from alias in database.
Any developer or mod that can help? I'm sure it can be fixed.
// Does the item exists?
if (!is_object($item) || !$item->id) {
JError::raiseError(404, JText::_('K2_ITEM_NOT_FOUND'));
}I was able to get the alias value with $item->alias but I have no idea how to grab the instance's alias in order to perform a check and raise 404 error if alias requested in browser is different from alias in database.
Any developer or mod that can help? I'm sure it can be fixed.
Please Log in or Create an account to join the conversation.