[TYPO3-english] "com_simpledownload"??
Axel Joensson
a.joensson at web.de
Mon Feb 24 14:58:15 CET 2014
Jigal van Hemert <jigal.van.hemert at typo3.org> wrote:
Hi Jigal,
> Hi,
>
> On 23-2-2014 17:56, Axel Joensson wrote:
> > i a productive T3 installation 4.5.32 with five languages, when randomly
> > looking into the source code deliverred to the brwoser, I today
> > discovered a strange line:
> >
> > index.html?option=com_simpledownload&controller=
> >
> > There followed almost countless slashes with a final 0. I have no idea
> > were that "option" may come from, but googling for "com_simpledownload"
> > I found something looking like exploit scripts written for Joomla some
> > years ago.
> >
> > Emptying all cashes removed that "option" from the links, but I'd really
> > like to know: How can that appear in my source code without having
> > anything installed that is only close such a (possible) extension?
>
> Perhaps you have options set in your configuration (or that of an
> extension) to keep the existing URL parameters when generating a link.
> If someone manually adds these parameters to test if the exploit with
> com_simpledownload is available on your server, these links might end up
> in the cache.
>
> See 'addQueryString' [1].
>
> [1]
>
>http://docs.typo3.org/typo3cms/TyposcriptReference/Functions/Typolink/I
ndex.html
thanks for replying!
The only other occassion were some parameters occur is in the search
module (not indexed search, but the "simple" one), to pass on the search
term: While the URL of the search result page is "clean", the search
word parameters are preserved and passed on when clicking the "next" or
"previous" links for more result pages (which is necessary), but also in
the links of the results list (which I regard unnecessary).
IIRC, this option=com_simpledownload stuff appeared in the language
links on top, for which I use sr_languagemenu. In the Constants for
sr_languagemenu under "Parameters that should not be forwarded", there
are named "user,pass,sword_list". In the other extensions' Constants,
there is nothing remarkable referring to typolink, same in the Setup.
That seems to me kind of a strange and undesired cache behavior, to pass
on parametres entered through the front end by "forging" URLs into the
cache, if there is not even a target or action for such a link. After
all, this also effects search engine indexation. If appearing in the
source code for some days, such cached forged links may enter SE
indexes.
Axel
More information about the TYPO3-english
mailing list