[TYPO3] Foreign url injection?

[Christian Tauscher]

Logi Huldar Gunnlaugsson wrote:

> http://busca.uol.com.br/uol/index.html/). Every link will use that
> parameter there after (Typo3 thinking that this is a legitimate
> L-parameter perhaps?)

Since you have configured linkVars = L it seems only to be consequent 
that TYPO3 appends every link with your requested string - if it makes 
sense is some other question.

if your language-Setup only "listens" to the strings "0" and "1" for 
default and translation, nothing will happen to a different string from 
the defined ones -> default langage wil lbe used as long as no ther 
matching condition is found.

> Although I've never seen anything like this before I guess this must be
> a problem that people are experiencing all over. The thing is also that
> I have no idea what this is called so when I try to google the problem I
> get no intelligent results.

Probably you are a victim of some "spamer", who looks for URLs with some 
?whatever=123 in it. Then this spammer-Program changes the last part to 
the strange url, in hope some kind of injection is possible.

I dont't know TYPO3 enough if a injection via the linkVars Parameter is 
possible (I think -hope- not). I have not enough hacker's Blood running 
in my venes :-)

But maybe some check's could be done on this issue by some mor competent 
person than me.

For the first I would try to allow only certain defined Parameters for 
the L via TS.

some try...

[globalVar = GP:L > 2]
	# 0 = standard, 1 = english, 2 = spain
	config.language = de
	config.sys_language_uid = 0
[global]

But this changes nothing sinc no condition (exept the one) will fullfill 
the case and so the same config is set as if nothing happened.

What is the conclusion of this?

I am not an expert, so don't trust too much in my words in /this/ case, 
I might me wrong.
The TS is not tested.

No solution is found for "how to get rid of this strange urls".

Sorry,

Christian.