[TYPO3-english] "com_simpledownload"??

Axel Joensson a.joensson at web.de
Wed Feb 26 15:01:06 CET 2014 

Jigal van Hemert <jigal.van.hemert at typo3.org> wrote:

Hello Jigal,

> Hi,
> 
> On 25-2-2014 22:19, Axel Joensson wrote:
> > This is however just a workaround, an extension like sr_language_menu
> > must not be susceptible to integrating manipulated strings into internal
> > URLs:
> 
> It's very difficult to distinguish between URL parameters which are part
> of TYPO3 and those which are invented by visitors.
> On one hand everybody expects that the current parameters of a page 
> which are necessary to build the content are preserved while switching
> languages. On the other hand you expect that no other parameters are 
> included. How is sr_language_menu supposed to known which parameters are
> valid and which are added by a visitor?
> 
> sr_language_menu chose for the option to exclude specific parameters 
> (there is a configuration setting for that) and include everything else.
> Another approach would be to only include specific parameters. That 
> would mean that if you install extension "XYZ" you would need to add a
> list of parameters used by that extension to the configuration of the
> language menu.

You are right, but isn't there some risk that this can be abused? I
tested another site which is not mine, but also made with TYPO3 and with
an English version, though the menu seems not to be made with
sr_language_menu (I don't want to publically post the "forged" link,
though it is harmless). When I sent one of those manipulated calls for
their homepage, all the attached "nonsense" parameters are immediately
included into the link on that home page for their English page version.
So, it seems like more extensions are susceptible to this. 

As these calls can partly be identified by regex (which I am not good
at), I looked out in the web for a "hardened" .htaccess file and found
this:

<http://perishablepress.com/5g-blacklist-2013/>

Seems to be made by a Wordpress user. If using that to extend the own
.htaccess, remove the reference to "base64" from the section <IfModule
mod_alias.c> before, or you won't be able to login to the BE anymore
(which uses a "base64.js"). This .htaccess sends calls e.g. with lots of
slashes right towards a "403". Using a shortened "forged" link without
the slashes, the other parameters are accepted (on my site), but they
seem not to make it into the source code of link from the
sr_language_menu any longer, while the search, passing on various
parameters in the URL, is not disturbed.  

Strange about this is that if coming with a browser, with this .htacess
I get the desired "403" with one of those manipulated calls. But if I
pass on the same adress through websniffer, the page is still delivered
with "200" without any problem.

Axel

More information about the TYPO3-english mailing list