Registered Items viewed in web searches

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
beanhollownikki
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Dec 13, 2013 2:42 pm

Registered Items viewed in web searches

Post by beanhollownikki » Sat Jul 09, 2016 11:02 am

I am currently running 2.5.22. I have a public site and a private/registered site. Secured information on my registered site is able to be viewed when searching for this information in google. I have made the Modular, Menus, and Categories "Registered".

Am I missing something?

Do I need to upgrade to a more recent version? (I know I should, but am hesitant)

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 24799
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Registered Items viewed in web searches

Post by Per Yngve Berg » Sat Jul 09, 2016 11:26 am

At least update to 2.5.28 before you get hacked.

http://joomlacode.org/gf/download/frsre ... ackage.zip

nerdyone
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Thu Apr 11, 2013 5:10 pm

Re: Registered Items viewed in web searches

Post by nerdyone » Thu Sep 08, 2016 10:44 pm

I'm running an intranet site for my worldwide sales team via Joomla 2.5.28 ... just got a message from our supplier stating that we are sharing proprietary information to the public via our site that is password protected. Apparently there is a search engine out there crawling it. We are being threatened now with the loss of our license to sell their products.

I was always under the impression that "registered" information was not viewable to bots to crawl. (i'm not talking about only google and other bots which actually adhere to robots files ) Is this not the case? How can I stop unauthorized visits to pages from bots that are supposedly secured via Joomla?

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 24799
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Registered Items viewed in web searches

Post by Per Yngve Berg » Fri Sep 09, 2016 7:28 am

"Registered" content should not be viewable by the public. Can you see the pages when you are not logged in?

One possibility is that you have changed the Guest Access to "Registered" from "Guest" in the Options of User Manager.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14694
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Registered Items viewed in web searches

Post by mandville » Fri Sep 09, 2016 8:30 am

usually the way that intranets appear on the general web are,
having public menu items
having users with "toolbars" https://www.enigmasoftware.com/malicious-toolbars/ that will index data when a user visits that page in total defiance of a robots file , because the toolbar is viewing it as a user would and the user has given the toolbar permission to view that page.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
toivo
Joomla! Exemplar
Joomla! Exemplar
Posts: 9831
Joined: Thu Feb 15, 2007 5:48 am
Location: Oxford, UK
Contact:

Re: Registered Items viewed in web searches

Post by toivo » Fri Sep 09, 2016 8:49 am

nerdyone wrote:I'm running an intranet site for my worldwide sales team via Joomla 2.5.28
When you say 'intranet', do you mean that your site is meant to be accessed only by staff but it is still hosted in the public internet, or is it hosted in the Local Area Network (LAN) or Wide Area Network (WAN) of your company, where it cannot be accessed from the public internet, only from your offices or through a VPN connection?

Even if the viewing access level of the menu item containing the link to the article is 'Registered' but the access level of the article is 'Public', you are likely to from the access log of your site that search engines like Google have the habit of enumerating the articles by id and accessing them using perfectly valid URLs like allowing them to bypass the restriction in the menu:

Code: Select all

     http://www.example.com/index.php?option=com_content&view=article&id=123
Toivo Talikka, Global Moderator
my first programs were assembled and run in 16KB :)
troubleshooting smtp and other articles https://talikka.com/joomla

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 24799
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Registered Items viewed in web searches

Post by Per Yngve Berg » Fri Sep 09, 2016 8:55 am

The View Level of the Category have to be set to "Registered", not only the Menu Items.

nerdyone
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Thu Apr 11, 2013 5:10 pm

Re: Registered Items viewed in web searches

Post by nerdyone » Fri Sep 09, 2016 7:51 pm

Thanks guys for all the interesting information. I've talked to some technical people on both sides and have more info :

All menu structure is only viewable to registered users. The only thing that is viewable to the public is the login and password fields.

Yes, the site is on a DMZ, so there is internal access as well as public access.
We have users with different access levels who need to access to different information, from different locations. Some are contractors with no VPN access to our systems, and others are outside sales reps.

The menu in question is pointing to a login script written in HTML + PHP which logs users into a training module from our suppliers site. Based on the users security level (joomla ACL) , each link logs the user into a different site.

The supplier is seeing the connection coming over from the login script and stating it is insecure (because they can simply go to the address referenced in the script and login) They now say, they do not have reports of the file being crawled, but say that it is possible that a rogue crawler "could" crawl the file.

Is there anyway I could lock down the file so that it would only allow access IF users were logged in?

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 24799
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Registered Items viewed in web searches

Post by Per Yngve Berg » Sat Sep 10, 2016 7:13 am

All Joomla files have a statement that kill it if not run from within Joomla.

Code: Select all

defined('_JEXEC') or die;


Locked

Return to “Security in Joomla! 2.5”