vBulletin SEO Forums

SEO

vBulletin Search Engine Optimization

Buy vBSEO Now! HACKER SAFE certified sites prevent over 99.9% of hacker crime.
ne nw
vBSEO Total Support Team Launches DeskPro New vBSEO Discount Level for Network Builders vBSEO 3.2.0 GOLD Has Landed Success with vBSEO = 600ore Web Visitors + $1400 in a Day! Crawlability Inc. Files for SEO Technology Patent
se sw

Security issue with filevbseo_getsitemap.php

This is a discussion on Security issue with filevbseo_getsitemap.php within the Bug Reporting forums, part of the vBSEO Google/Yahoo Sitemap category; Hi, When the filevbseo_getsitemap.php is called without arguments it supplies a list of files in the directory where it's installed. ...

Go Back   vBulletin SEO Forums > vBSEO Google/Yahoo Sitemap > Bug Reporting

Security issue with filevbseo_getsitemap.php Security issue with filevbseo_getsitemap.php

Enhancing 80 million pages.

 Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools
  #1  
Old 11-05-2008, 10:30 AM
Member
  
Real Name: Razvan
Join Date: Nov 2006
Location: Sibiu / Romania
Posts: 40
Security issue with filevbseo_getsitemap.php
Hi,



When the filevbseo_getsitemap.php is called without arguments it supplies a list of files in the directory where it's installed. This is a security risk. Please fix this ASAP.

I am a bit concerned: why haven't you already tested this obvious test-case ?

At present, I don't have a complete understanding of VBSEO sitemaps and this is why I am asking you: why do you need this file in the first place ? You could generate the files in some folder then just instruct the user to put a line in "robots.txt", a line that will tell all robots where is the file located:

Sitemap: http://www.test.eu/some-folder/sitemap_index.xml.gz

What is wrong with this approach ? This second option looks like a better incarnation of the KISS principle.


Regards,
Razvan
Last edited by mihai11; 11-05-2008 at 11:57 AM. Reason: typo
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on Facebook!
Reply With Quote
  #2  
Old 11-05-2008, 10:48 AM
Oleg Ignatiuk's Avatar
vBSEO Staff
vBSEO Total Customer SupportvBSEO Documenter
  
Real Name: Oleg Ignatiuk
Join Date: Jun 2005
Location: Belarus
Posts: 21,923
Hello,

vbseo_getsitemap.php never provides a directory listing, you can check it here: http://www.vbseo.com/vbseo_sitemap/vbseo_getsitemap.php
Quote:
Sitemap: http://www.test.eu/some-folder/sitemap_index.xml.gz

What is wrong with this approach ? This second option look like a better incarnation of the KISS principle.
According to sitemaps protocol, sitemap cannot be located in a subfolder and should be submitted at the top location of the site (or a part of site). In order to physically store files in forums root they will have to be manually created and write permissions assigned to every file, which complicates the installation. That's why rewrite rule is used instead. Also, that allows to track sitemap downloads log.
__________________
Oleg Ignatiuk / Crawlability Inc.
Support Team Launches New DeskPro Powered Tool Enhanced Support at Your Service

vBSEO 3.2.0 Launched - Maximum Overdrive for Your Web Traffic! Over 100 Instant SEO Optimizations

6X Traffic - $1400 in One Day with vBSEO! Imagine What the vBSEO Patent Pending Technology Can Do For You.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on Facebook!
Reply With Quote
  #3  
Old 11-05-2008, 11:56 AM
Member
  
Real Name: Razvan
Join Date: Nov 2006
Location: Sibiu / Romania
Posts: 40
Quote:
Originally Posted by Oleg Ignatiuk View Post
Hello,

vbseo_getsitemap.php never provides a directory listing, you can check it here: http://www.vbseo.com/vbseo_sitemap/vbseo_getsitemap.php
According to sitemaps protocol, sitemap cannot be located in a subfolder and should be submitted at the top location of the site (or a part of site). In order to physically store files in forums root they will have to be manually created and write permissions assigned to every file, which complicates the installation. That's why rewrite rule is used instead. Also, that allows to track sitemap downloads log.
On your site it does not, but on mine it creates a file with the length of 512 bytes. The file is pretty much meaningless (looks like its a binary file) except for the names of the files being in the same folder as the file in question.

Note: I am using the latest version of sitemaps.

I will open a support ticket and I will provide all the relevant details there.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on Facebook!
Reply With Quote
  #4  
Old 11-05-2008, 03:34 PM
Oleg Ignatiuk's Avatar
vBSEO Staff
vBSEO Total Customer SupportvBSEO Documenter
  
Real Name: Oleg Ignatiuk
Join Date: Jun 2005
Location: Belarus
Posts: 21,923
It might be related to the server settings, let's see in the ticket.
__________________
Oleg Ignatiuk / Crawlability Inc.
Support Team Launches New DeskPro Powered Tool Enhanced Support at Your Service

vBSEO 3.2.0 Launched - Maximum Overdrive for Your Web Traffic! Over 100 Instant SEO Optimizations

6X Traffic - $1400 in One Day with vBSEO! Imagine What the vBSEO Patent Pending Technology Can Do For You.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Share on Facebook!
Reply With Quote
Reply

« Crons Don't Install With Mysql_Slave Datatype | SQL Error generated possibly by Sitemap cron job »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads

Thread Thread Starter Forum Replies Last Post
security? sde General Discussion 8 07-18-2006 11:44 PM


All times are GMT -4. The time now is 01:26 AM.

Contact Us - vBSEO Home - Site Map - Top

Powered by vBulletin Version 3.8.0 Release Candidate 2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.5 ©2008, Crawlability, Inc.