+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / Security Issues with Sitefinity

Security Issues with Sitefinity

11 posts, 0 answered
  1. Siddesh Kapadi
    Siddesh Kapadi avatar
    239 posts
    Registered:
    09 Oct 2009
    11 Jul 2013
    Link to this post
    Hi Team Telerik,

    We have a possible security issue with sitefinity, where we can spoof the URL and modify form post. Here is an example:

    http://www.sitefinity.com/developer-network/forums/bugs-issues.creditcheckscorecheck.appspot.com

    Please view the source of the above URL and check the form post URL.

    Ideally, it should take the user to 404 page, but it loads the page.

    Let us know how we can fix this?

    Regards,
    Siddesh Kapadi
  2. Arno
    Arno avatar
    249 posts
    Registered:
    08 Sep 2010
    11 Jul 2013 in reply to Siddesh Kapadi
    Link to this post
    Hi Siddesh,

    I think this problem occurs for all content items. I have seen it for forums and reported the problem (here is the PITS, please vote for it). For starters, it's bad for SEO, but I didn't know one could mess with the form action parameter this way. That's not good at all. Hopefully your discovery will raise the priority of this bug.
  3. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    16 Jul 2013
    Link to this post
    Hello,

    As Arno mentioned this feature request could be found on the following URL. You could track its status and vote for its popularity there.

    Regards,
    Stefani Tacheva
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  4. Steve
    Steve avatar
    3037 posts
    Registered:
    03 Dec 2008
    16 Jul 2013 in reply to Arno
    Link to this post
    +50 I had to make my own httpmodule to 404 all these bad pages...I know what item is coming in on the url based on the parent, do a lookup, if I don't find it, throw a 404

    ...but I shouldn't have to do that.

    Here's another one for ya...drop a widget on a page and specify you only want it to show content from category X.  Then get the UrlName from an item NOT in category X and put it in the url...the item renders fine. 
  5. Markus
    Markus avatar
    2763 posts
    Registered:
    25 Nov 2005
    16 Jul 2013 in reply to Steve
    Link to this post
    Dear Stefani

    I have not tested this but from what I read - Feature Request - sounds a bit strange. 

    Markus
  6. Steve
    Steve avatar
    3037 posts
    Registered:
    03 Dec 2008
    16 Jul 2013 in reply to Markus
    Link to this post
    +200 @Markus

    A critical SEO bug is not a "Feature request"

    I'll bet dollars to donuts that bad URL will be in the generated canonical url too
  7. Arno
    Arno avatar
    249 posts
    Registered:
    08 Sep 2010
    17 Jul 2013
    Link to this post
    This is certainly not just a feature request. It's a SEO-related bug that shouldn't be in a CMS that claims to be SEO friendly. Anyway, the September release of Sitefinity is going to introduce a major improvement: folder names are no longer required in the URLs, so by then we can really choose what an URL should look like (PITS). It would be a good time to tackle this bug as well.

    Please people, for what it's worth, vote for the PITS.
  8. Arno
    Arno avatar
    249 posts
    Registered:
    08 Sep 2010
    17 Jul 2013
    Link to this post
    <duplicate post>
  9. Arno
    Arno avatar
    249 posts
    Registered:
    08 Sep 2010
    17 Jul 2013
    Link to this post
    Telerik: please also fix that "invalid post content"  bug in the forum. I had links in my previous post but it refused to save that.
  10. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    19 Jul 2013
    Link to this post
    Hi all,

    The error: Invalid Post Content is a known problem in Sitefinity forums and we are investigating it at the moment. I hope that it will be fixed soon.

    Regarding the other problem I definitely agree with you that this is a bug. I have changed the type from a  feature request to a bug and discussed the problem internally. I have also increased the severity of the bug. Apologies for the inconvenience this problem caused you.

    Regards,
    Stefani Tacheva
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  11. Arno
    Arno avatar
    249 posts
    Registered:
    08 Sep 2010
    20 Jul 2013 in reply to Stefani Tacheva
    Link to this post
    Thanks for that Stefani!
11 posts, 0 answered