[TYPO3] Foreign url injection?
Christian Tauscher
cms at media-distillery.de
Tue Nov 21 22:21:57 CET 2006
Logi Huldar Gunnlaugsson wrote:
> http://busca.uol.com.br/uol/index.html/). Every link will use that
> parameter there after (Typo3 thinking that this is a legitimate
> L-parameter perhaps?)
Since you have configured linkVars = L it seems only to be consequent
that TYPO3 appends every link with your requested string - if it makes
sense is some other question.
if your language-Setup only "listens" to the strings "0" and "1" for
default and translation, nothing will happen to a different string from
the defined ones -> default langage wil lbe used as long as no ther
matching condition is found.
> Although I've never seen anything like this before I guess this must be
> a problem that people are experiencing all over. The thing is also that
> I have no idea what this is called so when I try to google the problem I
> get no intelligent results.
Probably you are a victim of some "spamer", who looks for URLs with some
?whatever=123 in it. Then this spammer-Program changes the last part to
the strange url, in hope some kind of injection is possible.
I dont't know TYPO3 enough if a injection via the linkVars Parameter is
possible (I think -hope- not). I have not enough hacker's Blood running
in my venes :-)
But maybe some check's could be done on this issue by some mor competent
person than me.
For the first I would try to allow only certain defined Parameters for
the L via TS.
some try...
[globalVar = GP:L > 2]
# 0 = standard, 1 = english, 2 = spain
config.language = de
config.sys_language_uid = 0
[global]
But this changes nothing sinc no condition (exept the one) will fullfill
the case and so the same config is set as if nothing happened.
What is the conclusion of this?
I am not an expert, so don't trust too much in my words in /this/ case,
I might me wrong.
The TS is not tested.
No solution is found for "how to get rid of this strange urls".
Sorry,
Christian.
More information about the TYPO3-english
mailing list