Previous Thread
Next Thread
Print Thread
Hop To
Joined: Jun 2006
Posts: 987
Likes: 24
Old Hand
Old Hand
Joined: Jun 2006
Posts: 987
Likes: 24
In a report on my domain Google says that my domain has had spam from a third-party and that I should prevent this from happening.

Quote
Third-party spam detected on https://example.com/

Google has detected a significant portion of your site being abused with spam that violates Google's Webmaster Guidelines and adds little or no value to the web. The spammy content may appear in your forums, guestbooks, social media platforms, file uploader, free hosting services, or internal search pages.

This spammy content is possibly generated by site users or other third-parties, and it leverages your site to promote spam rather than the actual subject matter of your site.

Therefore, a manual spam action has been applied to appropriate URLs matching this pattern: example.com/forum/ubbthreads.php?ubb=changeprefs&what=style&value=4&curl=

The good news is that we generally believe your site is of sufficient quality that we didn't see a need to take manual action on the whole site. The current manual action will only affect those pages with spammy content. However, if your site has too much spammy content like this, that may affect our overall assessment of the site, result in a bad user experience, and affect your site’s reputation and ranking.

Following are some example URLs where we found pages that have been compromised. Please review them to gain a better sense of where these spammy content appears. Please note that the list is not exhaustive.

https://example.com/forum/ubbthreads.php?ubb=changeprefs&what=style&value=4&curl=https://spammyurl.tld

Quote
User-generated spam detected on https://example.com/

To: Webmaster of https://example.com/,

Google has detected user-generated content on your site that is either malicious or of no value to Google Search users. This type of content leverages your site’s reputation to promote spam rather than the actual subject matter of your site. Therefore, a manual spam action has been applied to example.com/forum/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=. This also causes your site’s URLs to appear for queries not related to your actual site content, lowering the quality of search results for Google Search users and thereby also impacting your site’s reputation and ranking. For that reason, we strongly advise you to remove the spam and file a reconsideration request. After we evaluate your site and determine that you have complied with our guidelines, we will remove this manual action.

I have tried to search but cannot find any threads with this in its links, maybe Google deleted it I don't know.
I understand above redirects it to a third party spamsite..correct?

Any ideas on what to do?
thanks

Last edited by Gizmo; 11/22/2023 7:47 PM. Reason: Clarity and added example warning messages.

Morgan Johansson
BritBike Forum
https://www.britbike.com/forums/ubbthreads.php
Joined: Jun 2006
Posts: 16,277
Likes: 114
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,277
Likes: 114
Users have been crafting URLs using the curl redirect (Current URL sending traffic to the function) in UBB.threads, nothing is exploited on the site, but it's allowing them to forward requests on a page of your site to 3rd party destinations; until we get v8 out the door I'm sharing the patch with everyone now. Any 3rd party URLs with the below patch will be stopped by the system from redirecting them unless the redirected URL is from a local URL (on your site).

Update: See this post for an update.
In /scripts/changeprefs.inc.php Find:
Code
		header("Location: $curl");


Replace with:
Code
	if (strpos($curl, $_SERVER['SERVER_NAME']) !== false) {
		header("Location: $curl");
	} else {
		$html->not_right($ubbt_lang['POST_PROB']);
	}


This code change exists towards the bottom of the script file, then you can attempt to redirect on your own site as:
https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbcentral.com

You can test this behavior here on UBBCentral by going to:
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com


I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
2 members like this: Morgan, isaac
Joined: Jun 2006
Posts: 987
Likes: 24
Old Hand
Old Hand
Joined: Jun 2006
Posts: 987
Likes: 24
Thank you very much Gizmo, I replaced the code string and the results came up like this

Quote
We could not locate the page you are requesting to view.

Perfect!!!

Many Kudos 👍🙏✅


Morgan Johansson
BritBike Forum
https://www.britbike.com/forums/ubbthreads.php
Joined: Jul 2006
Posts: 116
Likes: 4
P
Member
Member
P Offline
Joined: Jul 2006
Posts: 116
Likes: 4
I hate to say it, but the current fix is insufficient and only changes the attack vector. It is still simple to redirect to a third-party site by including the website domain somewhere in the curl parameter.

Example: https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/

I am certain that the spammers will figure it out sooner or later. Personally, I would remove the entire "//domain.tld/ubbthreads.php/" part from the curl parameter.

Joined: Jun 2006
Posts: 987
Likes: 24
Old Hand
Old Hand
Joined: Jun 2006
Posts: 987
Likes: 24
Originally Posted by Philipp
I hate to say it, but the current fix is insufficient and only changes the attack vector. It is still simple to redirect to a third-party site by including the website domain somewhere in the curl parameter.

Example: https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/

I am certain that the spammers will figure it out sooner or later. Personally, I would remove the entire "//domain.tld/ubbthreads.php/" part from the curl parameter.

Wow I tested this and it takes you direct to the third party, maybe something to bite into for the developers
Quote
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/faq/index.html/www.ubbcentral.com/

Here is the link in action

Last edited by Morgan; 11/25/2023 5:02 AM.

Morgan Johansson
BritBike Forum
https://www.britbike.com/forums/ubbthreads.php
Joined: Jun 2006
Posts: 16,277
Likes: 114
UBB.threads Developer
UBB.threads Developer
Joined: Jun 2006
Posts: 16,277
Likes: 114
Just had the opportunity to rejigger the code again, instead of the above replacement:
In /scripts/changeprefs.inc.php Find:
Code
		header("Location: $curl");


Replace with:
Code
	if (substr($curl, 0, strlen("//". $_SERVER['SERVER_NAME'] ."/")) === "//". $_SERVER['SERVER_NAME'] ."/") {
		header("Location: $curl");
	} else {
		$html->not_right($ubbt_lang['POST_PROB']);
	}

This code change exists towards the bottom of the script file, then you can attempt to redirect on your own site as:
https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbcentral.com
-AND-
https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/
-AND-
https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=//www.ubbcentral.com@ubbdev.com

You can test this behavior here on UBBCentral by going to:
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com
-AND-
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/
-AND-
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=//www.ubbcentral.com@ubbdev.com

We'll need to touch base with the existing code to see what needs to be cleaned up further, but this should work to limit the URLs allowed to redirect with the changepreferences script.

Last edited by Gizmo; 12/04/2023 2:42 AM. Reason: Updated check per Phillip's suggestion

I am a Web Development Contractor, I do not work for UBBCentral. I have provided free User to User Support since the beginning of these support forums.
Do you need Forum Install or Upgrade Services?
Forums: A Gardeners Forum, Scouters World
UBB.threads: UBBWiki, UBB Styles, UBB.Sitemaps
Longtime Supporter & Resident Post-A-Holic
VNC Web Services: Code Modifications, Upgrades, Styling, Coding Services, Disaster Recovery, and more!
1 member likes this: Morgan
Joined: Jul 2006
Posts: 116
Likes: 4
P
Member
Member
P Offline
Joined: Jul 2006
Posts: 116
Likes: 4
You should add ."/" after $_SERVER['SERVER_NAME'] because it is also possible to do a redirect like this:
https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=//www.ubbcentral.com@ubbdev.com

2 members like this: Morgan, Gizmo
Joined: Jun 2006
Posts: 987
Likes: 24
Old Hand
Old Hand
Joined: Jun 2006
Posts: 987
Likes: 24
Hi again,

I have implemented Gizmo's code string and it seems to work.
Went to check google search consule today and looked around.
I found a couple of thousands links like above using my forums software to redirect to third party sites.
It was mainly from countries that we recognize as non democratic states.
Links was redirected to Casinos, Porn and other fishy topics.

I hope above fix this as it was not a pleasant surprize.
Any thoughts from you dev's ?


Morgan Johansson
BritBike Forum
https://www.britbike.com/forums/ubbthreads.php

Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
search error on this site.
by Ruben - 02/24/2024 12:52 PM
UBB 20 Years button
by Morgan - 02/20/2024 4:21 PM
Attachment/Cloudflar
e issue

by Morgan - 02/15/2024 5:47 AM
Forums down
by Nightcrawler - 02/14/2024 2:31 PM
How is this possible?
by Baldeagle - 02/08/2024 2:49 PM
Who's Online Now
2 members (Gizmo, Ruben), 209 guests, and 317 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)