Support

  1. mahmoud
  2. General
  3. Monday, August 29 2016, 03:57 PM
Hi All,

Please i need you support regarding restricting short URLs.

I'm using your extension to enhance user's profiles, and recently the security team scanned my application with IBM AppScan and they found that the application didn't restrict the short URLs in the profile pages.

Here is an example:

The short URL for Profile Page is "http://www.example.com/profile/";
The short URL for Edit Profile Page is "http://www.example.com/profile-edit/";
The short URL for User Table List Page is "http://www.example.com/user-table-list/";

If the scanner is trying "http://www.example.com/profile/owa_util.signature";, the web application respond with HTTP 200 OK instead of a redirect to 404 not found page or 403 Forbiddin page.

and when i tried the above manually the page reloads and shows the profile page correctly but the address bar shows the obfuscated URL "http://www.example.com/profile/owa_util.signature";

This happens in "/profile" and "/user-table-list" pages, except for profile-edit page, when i try to type any values after the forward slash of "/profile-edit/any-value" the page is redirected to the "/profile" page.

Also there are some weird behavior as the following:

- I can load the profile page inside the user list page by using this "http://www.example.com/user-table-list/profile/";

- When i try to type any values after the forward slash of "/user-list/any-value" the table view is converted automatically to list view.

Note: All above mentioned issues doesn't exist on the web-app root "http://www.example.com/"; or any other pages and very well restricted.

Waiting your feedback.

Regards,
admin Accepted Answer
Admin
Hi,
I do not thing this is a problem, keep in mind that the routing is managed by Joomla, for example:
- Go to http://easy-profile.eu/ (this is our test site)
- Click to "Test" article from frontpage, this is a simple Featured Joomla article
- You will go to http://easy-profile.eu/index.php/2-uncategorised/1-test
- But if you go to http://easy-profile.eu/index.php/2-uncategorised/1-test/somethingelse you will go to test article page (like previous link)

Joomla accept all URL parameters and transform these into GET parameters. for example something like http://easy-profile.eu/index.php/2-uncategorised/1-test/somethingelse is the same as index.php?option=com_content&view=article&id=1:test&catid=2&Itemid=101&undefined=somethingelse (I hope this forum not add some strange char :D ), so "somethingelse" string else is another GET parameter.

You can't limit number of GET parameters.

When you get 404 or 403 errors is when Joomla recognizes the parameter and try to interpret.

I can load the profile page inside the user list page by using this "http://www.example.com/user-table-list/profile/";;
This is not possible, due to Joomla structure. Joomla need to assign menu item to understand component and view that you need to render. Of course this is possible in all components that not respect normal Joomla MVC model.

When i try to type any values after the forward slash of "/user-list/any-value" the table view is converted automatically to list view.
This is a bug, we will solve in next release ;)
  1. more than a month ago
  2. General
  3. # 1
  • Page :
  • 1


There are no replies made for this post yet.
However, you are not allowed to reply to this post.

Request Support

Support is currently Offline

Support Availability

Working days: Monday to Friday. The support staff is not available on weekends; in the most of cases tickets will not be answered during that time.

Reply time: Depending on the complexity of your support issue it's usually between a few minutes and 24 hours for paid members and about one week for free members. When we expect longer delays we will notify you.

Guidelines

Before you post: read the documentation and search the forums for an answer to your question.

When you post: include Site Details if you request a support (you can use the form below the reply in Site Details tab).

Auto Solved Question: If after a week the author of the post does not reply to a request by moderator, the question will be marked as resolved.

Language: only English

Search Users

Easy Profile® is not affiliated with or endorsed by Open Source Matters or the Joomla Project. Joomla is Free Software released under the GNU/GPL License.