aimeos
commented
1 year ago Yes, that looks like SQL injection attempts
Open nvindice opened 1 year ago
aimeos
commented
1 year ago Yes, that looks like SQL injection attempts
nvindice
commented
1 year ago Shouldn't the parameters be sanitized before they are used for URL generation and then cached? I don't care for unsuccessful hacking attempts, but I don't want them to be part of our Google search results.
aimeos
commented
1 year ago How did you add the language/currency selection and what's the URL of your site?
nvindice
commented
1 year ago We don't have a language/currency selection. URL: belago*de
aimeos
commented
1 year ago What are the URLs which contain that parameters?
nvindice
commented
1 year ago Currently hopefully none, we cleared the cache and reset Google's index. Yesterday Google (!) listed a couple of pages like this:
https://belago*de/c/Unsere_Beststeller~22?ai[currency]=EUR%22%27`--)&ai[locale]=de&ai[site]=default¤cy=EUR%22%27`--)&locale=de&site=default
jonaseberle
commented
1 year ago I think it is related to them parameters being excluded from cHash validation:
In aimeos/aimeos-typo3:
https://github.com/aimeos/aimeos-typo3/blob/master/ext_localconf.php#L274-L278
I suggest to review that.
Hi, I'm not sure where to post this best, so I created an issue here at the core package. Affected version is at least 2021.10 on TYPO3.
Additionally, I'm not sure where this problem comes from - I guess it's caching related.
Google stores a dozen URLs to our shop with additional parameters like
?currency=EUR"'`--)&locale=de&site=default. To me, this looks like somebody tried out SQL injections which was somehow cached and then later discovered by Google.How to get rid of these "dirty" links?