#309 user.php?xoops_redirect=/MySecretPath/MySecretPage.php

open
nobody
None
5
2010-11-07
2010-11-07
Mikhail Miguel
No

Hi! It's about things like this:
http://127.0.0.1/user.php?xoops_redirect=/MySecretPath/MySecretPage.php

XOOPS/XCL contains a session token in the query parameters that refer precisely to pages with content that can only be accessed with user Login. The existence of these URLs can be exposed through log files or leaked via the Referer header. Moreover, it is more duplicated content for search engines, resulting in unnecessary consumption of bandwidth and lowering the positions in search engines. I'm not a PHP developer but... Xoops_redirect can be substituted for cookies or hidden input fields???

Please, try to search this with Google:

allinurl:user.php +xoops_redirect

Discussion

  • gigamaster
    gigamaster
    2012-07-24

    I've confirmed the fix. Closed.