Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#26878 closed defect (bug) (invalid)

Question mark in the url doesn't return 404 and can be abused

Reported by: andrew8192's profile Andrew8192 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Query Keywords:
Focuses: Cc:

Description

I'm using wordpress 3.8 downloaded from here:
http://wordpress.org/download/

This is a normal url, which returns 404:
http://twentytendemo.wordpress.com/page/4/example

This is an url with the question mark, which doesn't return 404:
http://twentytendemo.wordpress.com/page/4/?/example

I found about this because I received a mail from my hosting provider, saying that they received a complaint about my blog publishing sexual content, this is an example of the urls that they received in their report:

http://twentytendemo.wordpress.com/page/4/?/board/54-blonde-big-breasts/
http://twentytendemo.wordpress.com/page/6/?/board/36-sweet-round-booty/
http://twentytendemo.wordpress.com/page/8/?/board/22-pink-nipples-party/

It was probably a fake report or a joke that someone who doesn't like my blog thought, sexual content is not allowed at my hosting provider, I sent a reply explaining about the bug and hopefully they won't block my account.

Is this a bug that I can fix on my side, or need to wait for the next wordpress version update?

Change History (4)

#1 @johnbillion
11 years ago

  • Component changed from Permalinks to Query
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from major to normal
  • Status changed from new to closed

There's no reason for WordPress to return a 404 here. The URL is valid and points to content on your site. Everything after the question mark in the URL is a query string. How would WordPress know that the content in that particular query string should cause a 404?

This is an unfortunate case of abuse by spammers, but it's not up to WordPress to handle. The problem would affect any CMS or script on any site.

#2 @TobiasBg
11 years ago

To add on, you might want to scan your site for malware. It's possible that your site was hacked and that some malicious code is now listening for those query strings and then delivers the undesired content.

As johnbillion said, ? in a URL are perfectly fine, and coming back to your example, surfing to
http://twentytendemo.wordpress.com/page/4/?/example will actually surf to http://twentytendemo.wordpress.com/page/4/ with /example (the part after the ?) sent as a parameter.

#3 @Andrew8192
11 years ago

There's really nothing that I can do to redirect this kind of urls to a "not found" or 404 page? what if I we add a rule to redirect all the queries that start with "/" example:

?/
?/example
?/example/etc

Would it affect the other core functions? also this format redirects to the parent link:

From:
http://twentytendemo.wordpress.com/page/4/?=example
Redirects to:
http://twentytendemo.wordpress.com/page/4/

Can't we do the same for "/" instead of "="? that would be already an improvement imo.

Last edited 11 years ago by Andrew8192 (previous) (diff)

#4 @TobiasBg
11 years ago

You could create some rewrite rules on your server via a .htaccess file. For details on how to do that, please either ask in the forums at http://wordpress.org/support/ or contact your webhost.

However, you should actually try to find if there's really such unwanted content on your site (maybe because you got hacked). Simply blocking/rewriting certain URLs won't help against that.

Adding a general rewrite rule in WordPress for this is not possible, as those URLs are perfectly valid and user might have legitimate use cases for such URLs.

Note: See TracTickets for help on using tickets.