Important Advice against Google Bot

60 views
Skip to first unread message

Emilio Sanchez

unread,
Jan 18, 2016, 1:21:58 PM1/18/16
to Vosao CMS Development
Hello guys,

Two weeks ago Google Bot has scratched my web site by pointing to /setup relative link that i didn't know.

No link on internet pointed to this relative link however.

I advice you really install next version 1.0.2 in which the default site setup will only be done 
through configuration panel in backoffice.

regards

Emanuele Ziglioli

unread,
Jan 19, 2016, 8:36:44 AM1/19/16
to Vosao CMS Development
That's a worry! Are you saying that under the old version, anybody can hit /setup and reset the site??
That should have gone under a protected /_ah url!
I'll have a look at the new version

Emanuele Ziglioli

unread,
Jan 19, 2016, 8:47:58 AM1/19/16
to Vosao CMS Development
I've just checked our web.xml

 <security-constraint>
 <web-resource-collection>
 <web-resource-name></web-resource-name>
 <url-pattern>/setup</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>admin</role-name>
 </auth-constraint>
 </security-constraint>


that should be enough to protect the site from a bot but not enough to protect an authorized user from hitting that url.
What are the consequences?

Emanuele Ziglioli

unread,
Jan 19, 2016, 9:00:42 AM1/19/16
to Vosao CMS Development
I suppose in production one could simply disable the init and the update filters

 <filter>
 <filter-name>InitFilter</filter-name>
 <filter-class>org.vosao.filter.InitFilter</filter-class>
 </filter>
 <filter-mapping>
 <filter-name>InitFilter</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>

Emilio Sanchez

unread,
Jan 19, 2016, 2:12:30 PM1/19/16
to Vosao CMS Development
Yeah the InitFilter code must be modified in order to erase /setup entry


Emilio Sanchez

unread,
Jan 19, 2016, 2:21:03 PM1/19/16
to Vosao CMS Development
What do you think ?
This "bug" has been there since the beginning. Well the former developpers were pretty confident

Emanuele Ziglioli

unread,
Jan 20, 2016, 4:43:40 PM1/20/16
to Vosao CMS Development
Yeah, I've disabled it in production. Perhaps we could add a check on the source address (it could be local, for testing, 127...).
Or another check to make sure we don't erase an existing site by mistake.
Did you lose important stuff?

Lystochok Osinniy

unread,
Feb 2, 2016, 4:15:51 PM2/2/16
to Vosao CMS Development
Was this issue posted on:
https://github.com/vosaocms/vosao/issues
I couldn't find it.
Is it planned to be fixed? Or is it documented somewhere that manual disabling of InitFilter is required?
How it should be done? Just remove it?

Emilio Sanchez

unread,
Feb 7, 2016, 11:22:55 AM2/7/16
to Vosao CMS Development
A 1.0.2 version will soon be downloadable from Vosao Google Drive

Emilio Sanchez

unread,
Feb 7, 2016, 11:24:31 AM2/7/16
to Vosao CMS Development
and fix the problem (new issue to be created) : /setup will be erased

Emilio Sanchez

unread,
Feb 14, 2016, 8:24:19 AM2/14/16
to Vosao CMS Development
Hello guys,

#607 issue "/setup security lack" 


was created
Reply all
Reply to author
Forward
0 new messages