#26878 closed defect (bug) (invalid)
Question mark in the url doesn't return 404 and can be abused
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Query | Keywords: | |
| Focuses: | Cc: |
Description
I'm using wordpress 3.8 downloaded from here:
http://wordpress.org/download/
This is a normal url, which returns 404:
http://twentytendemo.wordpress.com/page/4/example
This is an url with the question mark, which doesn't return 404:
http://twentytendemo.wordpress.com/page/4/?/example
I found about this because I received a mail from my hosting provider, saying that they received a complaint about my blog publishing sexual content, this is an example of the urls that they received in their report:
http://twentytendemo.wordpress.com/page/4/?/board/54-blonde-big-breasts/ http://twentytendemo.wordpress.com/page/6/?/board/36-sweet-round-booty/ http://twentytendemo.wordpress.com/page/8/?/board/22-pink-nipples-party/
It was probably a fake report or a joke that someone who doesn't like my blog thought, sexual content is not allowed at my hosting provider, I sent a reply explaining about the bug and hopefully they won't block my account.
Is this a bug that I can fix on my side, or need to wait for the next wordpress version update?
Change History (4)
#1
@
10 years ago
- Component changed from Permalinks to Query
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Severity changed from major to normal
- Status changed from new to closed
#2
@
10 years ago
To add on, you might want to scan your site for malware. It's possible that your site was hacked and that some malicious code is now listening for those query strings and then delivers the undesired content.
As johnbillion said, ? in a URL are perfectly fine, and coming back to your example, surfing to
http://twentytendemo.wordpress.com/page/4/?/example will actually surf to http://twentytendemo.wordpress.com/page/4/ with /example (the part after the ?) sent as a parameter.
#3
@
10 years ago
There's really nothing that I can do to redirect this kind of urls to a "not found" or 404 page? what if I we add a rule to redirect all the queries that start with "/" example:
?/ ?/example ?/example/etc
Would it affect the other core functions?
#4
@
10 years ago
You could create some rewrite rules on your server via a .htaccess file. For details on how to do that, please either ask in the forums at http://wordpress.org/support/ or contact your webhost.
However, you should actually try to find if there's really such unwanted content on your site (maybe because you got hacked). Simply blocking/rewriting certain URLs won't help against that.
Adding a general rewrite rule in WordPress for this is not possible, as those URLs are perfectly valid and user might have legitimate use cases for such URLs.
There's no reason for WordPress to return a 404 here. The URL is valid and points to content on your site. Everything after the question mark in the URL is a query string. How would WordPress know that the content in that particular query string should cause a 404?
This is an unfortunate case of abuse by spammers, but it's not up to WordPress to handle. The problem would affect any CMS or script on any site.