Security Issues with Sitefinity
Hi Team Telerik,
We have a possible security issue with sitefinity, where we can spoof the URL and modify form post. Here is an example:
Please view the source of the above URL and check the form post URL.
Ideally, it should take the user to 404 page, but it loads the page.
Let us know how we can fix this?
I think this problem occurs for all content items. I have seen it for forums and reported the problem (here is the PITS, please vote for it). For starters, it's bad for SEO, but I didn't know one could mess with the form action parameter this way. That's not good at all. Hopefully your discovery will raise the priority of this bug.
As Arno mentioned this feature request could be found on the following URL. You could track its status and vote for its popularity there.
+50 I had to make my own httpmodule to 404 all these bad pages...I know what item is coming in on the url based on the parent, do a lookup, if I don't find it, throw a 404
...but I shouldn't have to do that.
Here's another one for ya...drop a widget on a page and specify you only want it to show content from category X. Then get the UrlName from an item NOT in category X and put it in the url...the item renders fine.
I have not tested this but from what I read - Feature Request - sounds a bit strange.
A critical SEO bug is not a "Feature request"
I'll bet dollars to donuts that bad URL will be in the generated canonical url too
This is certainly not just a feature request. It's a SEO-related bug that shouldn't be in a CMS that claims to be SEO friendly. Anyway, the September release of Sitefinity is going to introduce a major improvement: folder names are no longer required in the URLs, so by then we can really choose what an URL should look like (PITS). It would be a good time to tackle this bug as well.
Please people, for what it's worth, vote for the PITS.
Telerik: please also fix that "invalid post content" bug in the forum. I had links in my previous post but it refused to save that.
The error: Invalid Post Content is a known problem in Sitefinity forums and we are investigating it at the moment. I hope that it will be fixed soon.
Regarding the other problem I definitely agree with you that this is a bug. I have changed the type from a feature request to a bug and discussed the problem internally. I have also increased the severity of the bug. Apologies for the inconvenience this problem caused you.
Thanks for that Stefani!