Toggle Submenu
  1. Forums
  2. Recent
  3. Categories
  4. Tags
  5. Users
  6. Badges
Support is currently Offline
Support Offday
Today is our off day. We are taking some rest and will come back stronger tomorrow. Promise!
Official support hours:
Monday To Friday except Saturday and Sunday
From 09:30 To 17:00
Our current time: Sunday 12:16 pm
Add a reply View Replies (1)

Resolved Short URLs restriction

  1. mahmoud
    mahmoud
  2. General
  3. Monday, August 29 2016, 03:57 PM
Hi All,

Please i need you support regarding restricting short URLs.

I'm using your extension to enhance user's profiles, and recently the security team scanned my application with IBM AppScan and they found that the application didn't restrict the short URLs in the profile pages.

Here is an example:

The short URL for Profile Page is "http://www.example.com/profile/";
The short URL for Edit Profile Page is "http://www.example.com/profile-edit/";
The short URL for User Table List Page is "http://www.example.com/user-table-list/";

If the scanner is trying "http://www.example.com/profile/owa_util.signature";, the web application respond with HTTP 200 OK instead of a redirect to 404 not found page or 403 Forbiddin page.

and when i tried the above manually the page reloads and shows the profile page correctly but the address bar shows the obfuscated URL "http://www.example.com/profile/owa_util.signature";

This happens in "/profile" and "/user-table-list" pages, except for profile-edit page, when i try to type any values after the forward slash of "/profile-edit/any-value" the page is redirected to the "/profile" page.

Also there are some weird behavior as the following:

- I can load the profile page inside the user list page by using this "http://www.example.com/user-table-list/profile/";

- When i try to type any values after the forward slash of "/user-list/any-value" the table view is converted automatically to list view.

Note: All above mentioned issues doesn't exist on the web-app root "http://www.example.com/"; or any other pages and very well restricted.

Waiting your feedback.

Regards,
Responses (1)
admin
admin Accepted Answer
Admin
Hi,
I do not thing this is a problem, keep in mind that the routing is managed by Joomla, for example:
- Go to http://easy-profile.eu/ (this is our test site)
- Click to "Test" article from frontpage, this is a simple Featured Joomla article
- You will go to http://easy-profile.eu/index.php/2-uncategorised/1-test
- But if you go to http://easy-profile.eu/index.php/2-uncategorised/1-test/somethingelse you will go to test article page (like previous link)

Joomla accept all URL parameters and transform these into GET parameters. for example something like http://easy-profile.eu/index.php/2-uncategorised/1-test/somethingelse is the same as index.php?option=com_content&view=article&id=1:test&catid=2&Itemid=101&undefined=somethingelse (I hope this forum not add some strange char :D ), so "somethingelse" string else is another GET parameter.

You can't limit number of GET parameters.

When you get 404 or 403 errors is when Joomla recognizes the parameter and try to interpret.

I can load the profile page inside the user list page by using this "http://www.example.com/user-table-list/profile/";;
This is not possible, due to Joomla structure. Joomla need to assign menu item to understand component and view that you need to render. Of course this is possible in all components that not respect normal Joomla MVC model.

When i try to type any values after the forward slash of "/user-list/any-value" the table view is converted automatically to list view.
This is a bug, we will solve in next release ;)
  1. more than a month ago
  2. General
  3. # 1
  • Page :
  • 1


There are no replies made for this post yet.
However, you are not allowed to reply to this post.