Results 1 to 10 of 10

Thread: Contao tl_search table indexes vulnerable url in its database

  1. #1
    New user
    Join Date
    09-19-17.
    Posts
    7

    Beitrag Contao tl_search table indexes vulnerable url in its database

    Haii,

    We are in a state of misery where there is a vulnerable attempt to our site which is the reason for my.site.com/?dosearch=true&query=">< script >alert(document.cookie)</ script >, this script get indexed in the tl_search url table and also shown in the search results . Can you please help us to solve this vulnerable cases and also some unidentified arguments containing urls laso get indexed in the field url .For example my.site.com/?foo=bar gets also indexed in our search results, which we are not using in any part of the site.Can anyone show us some way to prevent this , so that the arguments we are using in the site should be only used other aarguments should be popped out from the tables of search and any part of the site.

  2. #2
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    Which Contao version are you using?

  3. #3
    New user
    Join Date
    09-19-17.
    Posts
    7

    Beitrag

    My current contao version is 4.4.8

  4. #4
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    You should update to 4.4.18 first.

  5. #5
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    Btw. the only way to prevent this is by using an indexPage hook, where you analyse and process the given URL, removing any query parameters from them, whenever necessary.

  6. #6
    New user
    Join Date
    09-19-17.
    Posts
    7

    Beitrag

    Many thanks for the reply. I will update and use hook to avoid this problem.

    One doubt ,How can we identify which parameters and arguments are used for our particular site.A s I am new to contao , i have an assumption all the valid arguments should be stored in globals.Is there any kind of that.

  7. #7
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    Quote Originally Posted by ebin View Post
    One doubt ,How can we identify which parameters and arguments are used for our particular site.A s I am new to contao , i have an assumption all the valid arguments should be stored in globals.Is there any kind of that.
    This is something you have to analyze for yourself. There might be parameters from your own custom code or from extensions for example.

    From the core you might have pagination parameters for example. These depend on the module ID though. It's not a trivial task.

  8. #8
    New user
    Join Date
    09-13-17.
    Posts
    26

    Default IndexPage

    Quote Originally Posted by Spooky View Post
    Btw. the only way to prevent this is by using an indexPage hook, where you analyse and process the given URL, removing any query parameters from them, whenever necessary.
    I wrote IndexPage hook in my pluggin. When I clicked on rebuild index, my function is not executing. How to process the hook ?

  9. #9
    User Spooky's Avatar
    Join Date
    01-03-13.
    Posts
    339

    Default

    One way to prevent indexing of certain URLs with query parameters is to extend the
    PHP Code:
    $GLOBALS['TL_NOINDEX_KEYS'
    array within app/Resources/contao/config/config.php. E.g.
    PHP Code:
    $GLOBALS['TL_NOINDEX_KEYS'][] = 'dosearch'
    etc.

  10. #10
    New user
    Join Date
    09-13-17.
    Posts
    26

    Default Ignore indexing by value

    Quote Originally Posted by Spooky View Post
    One way to prevent indexing of certain URLs with query parameters is to extend the
    PHP Code:
    $GLOBALS['TL_NOINDEX_KEYS'
    array within app/Resources/contao/config/config.php. E.g.
    PHP Code:
    $GLOBALS['TL_NOINDEX_KEYS'][] = 'dosearch'
    etc.


    like $GLOBALS['TL_NOINDEX_KEYS'][] any other configuration is there for ignoring the url , if theit contains values with specific patterns

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •