/link endpoint allows redirection to any arbitrary URL

Sh4d commented 4 months ago

On old.lemmy.ca we're seeing a significant number of requests from Google Bot to random sites:

66.249.72.233 - - [27/Feb/2024:21:49:30 -0800] "GET /link?url=https://moebelsachverstaendiger-ganz.de/orang-angkat-tangan.html HTTP/1.1" 302 87 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.233 - - [27/Feb/2024:21:49:38 -0800] "GET /link?url=https://libangcapital.ca/score808-world-cup-2023.html HTTP/1.1" 302 76 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.233 - - [27/Feb/2024:21:49:39 -0800] "GET /link?url=https://barbara-proettel.de/cara-hipnotis-lewat-bbm.html HTTP/1.1" 302 79 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.233 - - [27/Feb/2024:21:49:45 -0800] "GET /link?url=https://victoriawoodfloors.ca/pinjaman-bri-jaminan-sertifikat-rumah.html HTTP/1.1" 302 95 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.234 - - [27/Feb/2024:21:50:35 -0800] "GET /link?url=https://sugardaddybaby.ca/real-drum-apk-mod.html HTTP/1.1" 302 71 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
2001:569:7d2d:fb00::1457 - - [27/Feb/2024:21:50:59 -0800] "GET /link?url=https://courtneysweetofficiant.ca/syarat-foto-visa.html HTTP/1.1" 302 78 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
66.249.72.234 - - [27/Feb/2024:21:51:25 -0800] "GET /link?url=https://parentpath.ca/mimpi-dapat-ikan-mas-besar-no-togel.html HTTP/1.1" 302 85 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.233 - - [27/Feb/2024:21:51:54 -0800] "GET /link?url=https://djb-freren.de/tempat-hunting.html HTTP/1.1" 302 64 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.233 - - [27/Feb/2024:21:52:51 -0800] "GET /link?url=https://solarpunkcanuck.ca/best-payout-online-pokies-australia.html HTTP/1.1" 302 90 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.234 - - [27/Feb/2024:21:53:16 -0800] "GET /link?url=https://10kx07.de/logo-tartila.html HTTP/1.1" 302 58 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.234 - - [27/Feb/2024:21:53:19 -0800] "GET /link?url=https://johnshoreofficiant.ca/lirik-lagu-biarkan-aku-menjaga-perasaan-ini.html HTTP/1.1" 302 101 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.234 - - [27/Feb/2024:21:54:04 -0800] "GET /link?url=https://werr-bee.de/livesports808-persib-vs-persija.html HTTP/1.1" 302 79 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.233 - - [27/Feb/2024:21:54:05 -0800] "GET /link?url=https://deingeldbleibthier.de/data-singapura-hari-ini-2022.html HTTP/1.1" 302 86 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.234 - - [27/Feb/2024:21:54:42 -0800] "GET /link?url=https://washwithcare.ca/pos4d-rtp.html HTTP/1.1" 302 61 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.139 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

This appears to be some sort of SEO abuse that mlmym enables: https://www.fastfwd.com/302-redirect-hijacking/

From a quick scan, I'm not seeing many places that mlmym even uses this 302 redirect so for now I've blocked this in our upstream nginx:

    location /link {
        deny all;
    }

DraconicNEO commented 4 months ago

@rystaf This seems like a pretty serious issue, might want to look into this sooner rather than later

rystaf commented 4 months ago

I removed the /link endpoint in the latest release 0.0.40. This was used to redirect users to the "old" interface when clicking on non-"old" lemmy links. I'll look into a better solution for this.

Sh4d commented 4 months ago

Awesome, thanks for the quick patch!

rystaf / mlmym

/link endpoint allows redirection to any arbitrary URL #101