search

apostrophecms / apostrophe-workflow

Provides approval-based workflow and localization capabilities for projects that need them. An optional component of the Apostrophe CMS.
MIT License
36 stars 20 forks source link

link-to-locale maybe abused for malicious SEO purposes #331

Open fredrikekelund opened 3 years ago

fredrikekelund commented 3 years ago

We're seeing a number of URLs in Google Search Console that look something like this https://mysite.com/modules/apostrophe-workflow/link-to-locale?slug=https://spammy-domain-name.com/page. It took me a minute to understand what they were, but my current hypothesis is that it's an attempt to gain SEO juice for the spammy domains by abusing the fact that the /apostrophe-workflow/link-to-locale endpoint can redirect to an arbitrary URL (even external sites). Google Search Console reports these as "Crawled - currently not indexed", which makes sense since none of them are for internal URLs, but I assume they might be able to gain some SEO points by using this tactic

boutell commented 3 years ago

Hmm, that makes sense but I tried to do it with a URL on an actual site that runs the workflow module and was not successful, at least when logged out. So I'm not sure if there's an actual vulnerability here. Do you have an example of it resulting in actual redirects to the site? You could email tom@apostrophecms.com if you prefer. Thanks!

fredrikekelund commented 3 years ago

You may need to encode the target URL. When I do that (ie. https://mysite.com/modules/apostrophe-workflow/link-to-locale?https%3A%2F%2Fspammy-domain-name.com%2Fpage) I get redirected, even when logged out.