I am currently running 2.5.22. I have a public site and a private/registered site. Secured information on my registered site is able to be viewed when searching for this information in google. I have made the Modular, Menus, and Categories "Registered".
Am I missing something?
Do I need to upgrade to a more recent version? (I know I should, but am hesitant)
Registered Items viewed in web searches
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
-
beanhollownikki
- Joomla! Apprentice
- Posts: 12
- Joined: Fri Dec 13, 2013 2:42 pm
-
Per Yngve Berg
- Joomla! Master
- Posts: 30940
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Registered Items viewed in web searches
At least update to 2.5.28 before you get hacked.
http://joomlacode.org/gf/download/frsre ... ackage.zip
http://joomlacode.org/gf/download/frsre ... ackage.zip
-
nerdyone
- Joomla! Apprentice
- Posts: 5
- Joined: Thu Apr 11, 2013 5:10 pm
Re: Registered Items viewed in web searches
I'm running an intranet site for my worldwide sales team via Joomla 2.5.28 ... just got a message from our supplier stating that we are sharing proprietary information to the public via our site that is password protected. Apparently there is a search engine out there crawling it. We are being threatened now with the loss of our license to sell their products.
I was always under the impression that "registered" information was not viewable to bots to crawl. (i'm not talking about only google and other bots which actually adhere to robots files ) Is this not the case? How can I stop unauthorized visits to pages from bots that are supposedly secured via Joomla?
I was always under the impression that "registered" information was not viewable to bots to crawl. (i'm not talking about only google and other bots which actually adhere to robots files ) Is this not the case? How can I stop unauthorized visits to pages from bots that are supposedly secured via Joomla?
-
Per Yngve Berg
- Joomla! Master
- Posts: 30940
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Registered Items viewed in web searches
"Registered" content should not be viewable by the public. Can you see the pages when you are not logged in?
One possibility is that you have changed the Guest Access to "Registered" from "Guest" in the Options of User Manager.
One possibility is that you have changed the Guest Access to "Registered" from "Guest" in the Options of User Manager.
-
mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Registered Items viewed in web searches
usually the way that intranets appear on the general web are,
having public menu items
having users with "toolbars" https://www.enigmasoftware.com/malicious-toolbars/ that will index data when a user visits that page in total defiance of a robots file , because the toolbar is viewing it as a user would and the user has given the toolbar permission to view that page.
having public menu items
having users with "toolbars" https://www.enigmasoftware.com/malicious-toolbars/ that will index data when a user visits that page in total defiance of a robots file , because the toolbar is viewing it as a user would and the user has given the toolbar permission to view that page.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
toivo
- Joomla! Master
- Posts: 17445
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Registered Items viewed in web searches
When you say 'intranet', do you mean that your site is meant to be accessed only by staff but it is still hosted in the public internet, or is it hosted in the Local Area Network (LAN) or Wide Area Network (WAN) of your company, where it cannot be accessed from the public internet, only from your offices or through a VPN connection?nerdyone wrote:I'm running an intranet site for my worldwide sales team via Joomla 2.5.28
Even if the viewing access level of the menu item containing the link to the article is 'Registered' but the access level of the article is 'Public', you are likely to from the access log of your site that search engines like Google have the habit of enumerating the articles by id and accessing them using perfectly valid URLs like allowing them to bypass the restriction in the menu:
Code: Select all
http://www.example.com/index.php?option=com_content&view=article&id=123Toivo Talikka, Global Moderator
-
Per Yngve Berg
- Joomla! Master
- Posts: 30940
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Registered Items viewed in web searches
The View Level of the Category have to be set to "Registered", not only the Menu Items.
-
nerdyone
- Joomla! Apprentice
- Posts: 5
- Joined: Thu Apr 11, 2013 5:10 pm
Re: Registered Items viewed in web searches
Thanks guys for all the interesting information. I've talked to some technical people on both sides and have more info :
All menu structure is only viewable to registered users. The only thing that is viewable to the public is the login and password fields.
Yes, the site is on a DMZ, so there is internal access as well as public access.
We have users with different access levels who need to access to different information, from different locations. Some are contractors with no VPN access to our systems, and others are outside sales reps.
The menu in question is pointing to a login script written in HTML + PHP which logs users into a training module from our suppliers site. Based on the users security level (joomla ACL) , each link logs the user into a different site.
The supplier is seeing the connection coming over from the login script and stating it is insecure (because they can simply go to the address referenced in the script and login) They now say, they do not have reports of the file being crawled, but say that it is possible that a rogue crawler "could" crawl the file.
Is there anyway I could lock down the file so that it would only allow access IF users were logged in?
All menu structure is only viewable to registered users. The only thing that is viewable to the public is the login and password fields.
Yes, the site is on a DMZ, so there is internal access as well as public access.
We have users with different access levels who need to access to different information, from different locations. Some are contractors with no VPN access to our systems, and others are outside sales reps.
The menu in question is pointing to a login script written in HTML + PHP which logs users into a training module from our suppliers site. Based on the users security level (joomla ACL) , each link logs the user into a different site.
The supplier is seeing the connection coming over from the login script and stating it is insecure (because they can simply go to the address referenced in the script and login) They now say, they do not have reports of the file being crawled, but say that it is possible that a rogue crawler "could" crawl the file.
Is there anyway I could lock down the file so that it would only allow access IF users were logged in?
-
Per Yngve Berg
- Joomla! Master
- Posts: 30940
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Registered Items viewed in web searches
All Joomla files have a statement that kill it if not run from within Joomla.
Code: Select all
defined('_JEXEC') or die;