[TYPO3] weird url injection

Christopher Torgalson bedlamhotel at gmail.com
Thu Apr 5 17:05:22 CEST 2007


On 4/5/07, Bernd Wilke <19m0nyq02 at sneakemail.com> wrote:
> --
> www.bernd-wilke.net
> "Debora" <MimeFly at gmail.com> schrieb im Newsbeitrag
> news:mailman.1.1175768606.16648.typo3-english at lists.netfielders.de...
> > Hi all,
> >
> > To my horror I noticed that someone has been trying to hack my website
> (TYPO3 4.0.5,PHP 5.1.6 -> both being upgraded today). My site is
> multilingual and I always upgrade extensions by default. I also clear all
> cache at the start of each day manually...
> >
> > What's the problem:
> > - The urls (both internal and external and inside google!) have this added
> to it:
> >       ...      "?ref=Fuckonly.com" ...
> > - It does not 'do' anything (thank the gods), the pages are being
> displayed normally but with that annoying reference, but I DO NOT want to be
> affiliated with a p*rn site whatsoever!!!
> >
> > The temporary "solution" ??
> > - I have no idea ... but I have cleared all cache and temp directories and
> it 'seems' to be gone for now. Luckily the only DB tables 'affected' are the
> statistics modules, which have logged everything of course...
> you only can clear FE-Cache
> > I have looked into the statistics and it seems to have happened for the
> first time around 16/17 march 2007. Always from different IP addresses. But
> what strikes me, is that the most affected language is Chinese(Simpl.) and
> just one or two URL's in Spanish/English... It seems to be a PHP problem,
> but I really don't now IF it's TYPO3 or PHP or both...
> it is a cache-problem, so every page and its parameter are cached, as far as
> the cache is rebuild once a day, the first call to your pages may store
> these strange paramters to the links from that page. (especially if those
> paramters are defined in  "config.linkVars")
> > So what I would like to know, has this been a hack attempt ? Or a script
> kiddie? Or a spambot of some sort ?? Cause I have no idea...
> I think it might be a try to hijack your site for  Cross-site scripting  or
> SQL-injection (see wikipedia)
> > Does anyone know how to prevent this from happening again ?
> I like to know too

Bernd (and Debora): if it's true that this is only TYPO3 caching the
first hit of the day, I would guess that this is an attempt at
log-spamming [1] that has exposed a weakness in TYPO3...but that
raises the question 'what can be done about it?'  (aside from never,
never clearing the cache...)

Christopher Torgalson

[1] http://www.google.com/search?q=log+spamming

More information about the TYPO3-english mailing list