http://zikula.org/?append-anything-here-should-lead-to-404-SEs-not-happy-leads-to-penalties
Whether you use postnuke .760 () or zikula 1.(), you can append anything after http://www.yoursite.com/? and instead of a 404 error redirect, the request is directing to the homepage. I had a quick look and I believe the pnAPI file probably somewhere needs to be fixed, I tried couple of fixes, but no luck so fare. The problem persists even if you put a redirect such as /?q=(.*) or /?(.*) to /404.shtml. It may not be a security vulnerability per say, but when googlebot is deliberately coming up with inexistent query strings and getting a 200 header found and landing on the homepage instead of a 404 not found, it sure NOT GOOD for duplicate content and bad 301 redirects which are not agreeable by all SEs TOSs and likely to lead to site penalties or filters etc, it urgently needs a fix.
I use both .764 and zikula on few sites, the problem exists on all versions of postnuke and zikula, can someone suggest a quick fix/patch for postnuke .764 and zikula.
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- rgasch created topic »Using PageUtil::addVar() to load script code« 11:48 AM
- michiel responded to »password problem« 10:01 AM
- mazdev responded to »Hide "Register new account" and change template to 3 col« 07:50 AM
- mesteele101 created topic »Zikula 1.3.3 - Site Search 1.5.2 - Unable to turn off plug-ins« 07:48 AM
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
Postnuke / Zikula Security vulnerability or just bad programming
-
- Rank: Registered User
- Registered: Apr 18, 2010
- Last visit: Apr 18, 2010
- Posts: 4
Posted: Apr 18, 2010 - 03:31 PM
-
- Rank: Registered User
- Registered: Apr 18, 2010
- Last visit: Apr 18, 2010
- Posts: 4
Posted: Apr 18, 2010 - 03:39 PM
Even without the question mark, still happens on zikula.org,
http://zikula.org/append-anything-here-should-lead-to-404-SEs-not-happy-leads-to-penalties
However, on my sites it does NOT and leads to proper 404, but if I preceed it with ?, it happens on my sites and zikula.org
-
- Rank: Developer
- Registered: Dec 31, 1969
- Last visit: Jun 01, 2010
- Posts: 6859
Posted: Apr 18, 2010 - 04:12 PM
-
- Rank: Registered User
- Registered: Apr 18, 2010
- Last visit: Apr 18, 2010
- Posts: 4
Posted: Apr 18, 2010 - 06:45 PM
I would but that site is the core site and don't accept my login details, it seems they are separate from this forums login and it's pointless registering on every subdomain of zikula.org.
Anyway, I managed to find a temporary fix.
This works on my sites and my configs and may not suit everyone, I use postnuke .764 on some sites, and zikula 1.1.2 on others and this has fixed the problem on all, however, apply at your own risk, once applied run Xenu or similar program to make sure all URLs on your site are OK and the fix did not break anything.
The fix below is a simple 301 redirect which you can put on top of your htaccess file, that's all.
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /\?(.*)\ HTTP/ [NC]
RewriteRule ^/?$ /404\.shtml? [R=301,L]
The redirect, redirects any traffic starting with /? to your 404 not found page, postnuke / zikula and its modules and themes is not constructed with URLs starting with /?, it's always /index.php?... or modules.php?... or if you are using any rewrite rules as /whatever....html and that is left untouched.
404\.shtml is my 404 custom error page, change to yours, if you don't, it'll just go to the default ugly error page, but at least it'll give search engines a proper 404 not found header.
If anyone finds this fix has broken something, comment it out and comeback here to tell us what it was.
It's best if someone taken a note and told the dev team for future fixes in the pnAPI file or wherever this can be fixed!
-
- Rank: Developer
- Registered: Aug 15, 2002
- Last visit: May 21, 2010
- Posts: 149
Posted: Apr 18, 2010 - 08:24 PM
In the administration go to:
System > Settings > Short URLs Settings
Once you select the Error-Module in the field "Module to use when permalink contains no module name" you will get a clean 404-error.
--
Cheers, Sascha
Philivision, Inc. - User of Zikula since 2002...
-
- Rank: Registered User
- Registered: Apr 18, 2010
- Last visit: Apr 18, 2010
- Posts: 4
Posted: Apr 18, 2010 - 11:16 PM
Yes, that's if you are using "Directory" as the "Type of URLs generated", many like myself prefer the file Type such as blabla-1234.html and that's not possible.
-
- Rank: Developer
- Registered: Jun 16, 2003
- Last visit: May 29, 2010
- Posts: 1966
Posted: Apr 18, 2010 - 11:27 PM
Quote
bug/security issues should be reported here
Quote
I would but that site is the core site and don't accept my login details, it seems they are separate from this forums login and it's pointless registering on every subdomain of zikula.org.
yes, you'll need to register. tough it out, you can do it.
- Moderated by:
- Support
