Security issue with filevbseo_getsitemap.php

Hi,



When the filevbseo_getsitemap.php is called without arguments it supplies a list of files in the directory where it's installed. This is a security risk. Please fix this ASAP.

I am a bit concerned: why haven't you already tested this obvious test-case ?

At present, I don't have a complete understanding of VBSEO sitemaps and this is why I am asking you: why do you need this file in the first place ? You could generate the files in some folder then just instruct the user to put a line in "robots.txt", a line that will tell all robots where is the file located:

Sitemap: http://www.test.eu/some-folder/sitemap_index.xml.gz

What is wrong with this approach ? This second option looks like a better incarnation of the KISS principle.


Regards,
Razvan

Hello,

vbseo_getsitemap.php never provides a directory listing, you can check it here: http://www.vbseo.com/vbseo_sitemap/vbseo_getsitemap.php

Sitemap: http://www.test.eu/some-folder/sitemap_index.xml.gz

What is wrong with this approach ? This second option look like a better incarnation of the KISS principle.

According to sitemaps protocol, sitemap cannot be located in a subfolder and should be submitted at the top location of the site (or a part of site). In order to physically store files in forums root they will have to be manually created and write permissions assigned to every file, which complicates the installation. That's why rewrite rule is used instead. Also, that allows to track sitemap downloads log.

Originally Posted by Oleg Ignatiuk

Hello,

vbseo_getsitemap.php never provides a directory listing, you can check it here: http://www.vbseo.com/vbseo_sitemap/vbseo_getsitemap.php
According to sitemaps protocol, sitemap cannot be located in a subfolder and should be submitted at the top location of the site (or a part of site). In order to physically store files in forums root they will have to be manually created and write permissions assigned to every file, which complicates the installation. That's why rewrite rule is used instead. Also, that allows to track sitemap downloads log.

On your site it does not, but on mine it creates a file with the length of 512 bytes. The file is pretty much meaningless (looks like its a binary file) except for the names of the files being in the same folder as the file in question.

Note: I am using the latest version of sitemaps.

I will open a support ticket and I will provide all the relevant details there.

It might be related to the server settings, let's see in the ticket.