|
Joined: Jun 2006
Posts: 997 Likes: 24
Old Hand
|
Old Hand
Joined: Jun 2006
Posts: 997 Likes: 24 |
In a report on my domain Google says that my domain has had spam from a third-party and that I should prevent this from happening. Third-party spam detected on https://example.com/Google has detected a significant portion of your site being abused with spam that violates Google's Webmaster Guidelines and adds little or no value to the web. The spammy content may appear in your forums, guestbooks, social media platforms, file uploader, free hosting services, or internal search pages. This spammy content is possibly generated by site users or other third-parties, and it leverages your site to promote spam rather than the actual subject matter of your site. Therefore, a manual spam action has been applied to appropriate URLs matching this pattern: example.com/forum/ubbthreads.php?ubb=changeprefs&what=style&value=4&curl= The good news is that we generally believe your site is of sufficient quality that we didn't see a need to take manual action on the whole site. The current manual action will only affect those pages with spammy content. However, if your site has too much spammy content like this, that may affect our overall assessment of the site, result in a bad user experience, and affect your site’s reputation and ranking. Following are some example URLs where we found pages that have been compromised. Please review them to gain a better sense of where these spammy content appears. Please note that the list is not exhaustive. https://example.com/forum/ubbthreads.php?ubb=changeprefs&what=style&value=4&curl=https://spammyurl.tld User-generated spam detected on https://example.com/To: Webmaster of https://example.com/, Google has detected user-generated content on your site that is either malicious or of no value to Google Search users. This type of content leverages your site’s reputation to promote spam rather than the actual subject matter of your site. Therefore, a manual spam action has been applied to example.com/forum/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=. This also causes your site’s URLs to appear for queries not related to your actual site content, lowering the quality of search results for Google Search users and thereby also impacting your site’s reputation and ranking. For that reason, we strongly advise you to remove the spam and file a reconsideration request. After we evaluate your site and determine that you have complied with our guidelines, we will remove this manual action. I have tried to search but cannot find any threads with this in its links, maybe Google deleted it I don't know. I understand above redirects it to a third party spamsite..correct? Any ideas on what to do? thanks
Last edited by Gizmo; 11/22/2023 8:47 PM. Reason: Clarity and added example warning messages.
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
Users have been crafting URLs using the curl redirect (Current URL sending traffic to the function) in UBB.threads, nothing is exploited on the site, but it's allowing them to forward requests on a page of your site to 3rd party destinations; until we get v8 out the door I'm sharing the patch with everyone now. Any 3rd party URLs with the below patch will be stopped by the system from redirecting them unless the redirected URL is from a local URL (on your site). Update: See this post for an update. In /scripts/changeprefs.inc.php Find:
header("Location: $curl");
Replace with:
if (strpos($curl, $_SERVER['SERVER_NAME']) !== false) {
header("Location: $curl");
} else {
$html->not_right($ubbt_lang['POST_PROB']);
} This code change exists towards the bottom of the script file, then you can attempt to redirect on your own site as: https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbcentral.com You can test this behavior here on UBBCentral by going to: https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com
|
2 members like this:
Morgan, isaac |
|
|
|
Joined: Jun 2006
Posts: 997 Likes: 24
Old Hand
|
Old Hand
Joined: Jun 2006
Posts: 997 Likes: 24 |
Thank you very much Gizmo, I replaced the code string and the results came up like this We could not locate the page you are requesting to view. Perfect!!! Many Kudos 👍🙏✅
|
|
|
|
Joined: Jul 2006
Posts: 116 Likes: 4
Member
|
Member
Joined: Jul 2006
Posts: 116 Likes: 4 |
I hate to say it, but the current fix is insufficient and only changes the attack vector. It is still simple to redirect to a third-party site by including the website domain somewhere in the curl parameter.
Example: https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/
I am certain that the spammers will figure it out sooner or later. Personally, I would remove the entire "//domain.tld/ubbthreads.php/" part from the curl parameter.
|
|
|
|
Joined: Jun 2006
Posts: 997 Likes: 24
Old Hand
|
Old Hand
Joined: Jun 2006
Posts: 997 Likes: 24 |
I hate to say it, but the current fix is insufficient and only changes the attack vector. It is still simple to redirect to a third-party site by including the website domain somewhere in the curl parameter.
Example: https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/
I am certain that the spammers will figure it out sooner or later. Personally, I would remove the entire "//domain.tld/ubbthreads.php/" part from the curl parameter. Wow I tested this and it takes you direct to the third party, maybe something to bite into for the developers https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/faq/index.html/www.ubbcentral.com/ Here is the link in action
Last edited by Morgan; 11/25/2023 6:02 AM.
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
Just had the opportunity to rejigger the code again, instead of the above replacement: In /scripts/changeprefs.inc.php Find: header("Location: $curl"); Replace with: if (substr($curl, 0, strlen("//". $_SERVER['SERVER_NAME'] ."/")) === "//". $_SERVER['SERVER_NAME'] ."/") {
header("Location: $curl");
} else {
$html->not_right($ubbt_lang['POST_PROB']);
} This code change exists towards the bottom of the script file, then you can attempt to redirect on your own site as: https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbcentral.com -AND- https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/ -AND- https://example.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=//www.ubbcentral.com@ubbdev.com You can test this behavior here on UBBCentral by going to: https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com -AND- https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=https://ubbdev.com/www.ubbcentral.com/ -AND- https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=//www.ubbcentral.com@ubbdev.com We'll need to touch base with the existing code to see what needs to be cleaned up further, but this should work to limit the URLs allowed to redirect with the changepreferences script.
Last edited by Gizmo; 12/04/2023 3:42 AM. Reason: Updated check per Phillip's suggestion
|
1 member likes this:
Morgan |
|
|
|
Joined: Jul 2006
Posts: 116 Likes: 4
Member
|
Member
Joined: Jul 2006
Posts: 116 Likes: 4 |
You should add ."/" after $_SERVER['SERVER_NAME'] because it is also possible to do a redirect like this: https://www.ubbcentral.com/forums/ubbthreads.php?ubb=changeprefs&what=style&value=1&curl=//www.ubbcentral.com@ubbdev.com
|
2 members like this:
Morgan, Gizmo |
|
|
|
Joined: Jun 2006
Posts: 997 Likes: 24
Old Hand
|
Old Hand
Joined: Jun 2006
Posts: 997 Likes: 24 |
Hi again,
I have implemented Gizmo's code string and it seems to work. Went to check google search consule today and looked around. I found a couple of thousands links like above using my forums software to redirect to third party sites. It was mainly from countries that we recognize as non democratic states. Links was redirected to Casinos, Porn and other fishy topics.
I hope above fix this as it was not a pleasant surprize. Any thoughts from you dev's ?
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
To implement this Fix do I put MY Server Name between quote marks in Brackets with where it says ['SERVER_NAME'] ?
Thanks for any clarification.
|
|
|
|
Joined: Jun 2006
Posts: 16,355 Likes: 125
|
Joined: Jun 2006
Posts: 16,355 Likes: 125 |
This is a drop in replacement, don't change anything.
|
|
|
|
Joined: Mar 2007
Posts: 307 Likes: 3
Enthusiast
|
Enthusiast
Joined: Mar 2007
Posts: 307 Likes: 3 |
|
|
|
1 members (Gizmo),
648
guests, and
53
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|