last month a customer came to me with the question if I could help him: his site was compromised and his business customers attended him that his joomla website was serving porn. He was losing business... big time when the word spread...
I have created a free plugin to help you get rid of and avoid these bogus links for your website: link below this blog!
I checked his site and could not find anything hacked, but further investigation learned that when googling his site, all kinds of porn and abuser URL’s where pointing to his site, with his domain name as the domain name in the URL. So Google was using porn URLs that when clicked would redirect you to his site.
Hi Ruud - thank you for your article. I have disabled the ID in the modern router. In the aftermath i discovered 1) You have to be very carefull not to have duplicate aliases - which lead to a 404 page. and worse 2) the old urls are still accepted... or can be guessed easily - so i need your PR - There will be no fix from Joomla Development as we both know... - i'm still convinced this is a major threat.
Thank you and best wishes
I wrote this article after discussion with the Joomla Security Strikeforce. If you aren't going to fix it at least make people aware of the issue and what potentially can be done about it.
The isue here is that the people 'in charge' of doing something about it, do not have the isue: IMO it is as simple as that.
I did a PR for it for Joomla 4 (which also has this issue), but the only feedback I got was code styling, then nothing. So I closed that PR to get the attention back on the original issue. github.com/joomla/joomla-cms/pull/32500
What the PR did was give the user a choice: loose resolving (the way it is now), or strict resolving (require both id and matching alias)
As said, due to lack of interest I pulled that PR. I know Phil taylor al did a number of PR's for Joomla 3 but again, stranded due to no feature (?) requests anymore for Joomla 3.
Because I don't want to make sites unprotected (by doing core changes) I have created a system plugin for a customer who was facing this exact issue. It will check the article id with the alias in the url and matches that with the alias of the article: if not the same 404 / 410. This is only on the article alias, not the category alias (which again can be anything)
If you are interested I can create a standalone system plugin for that and push it to github
You are welcome Mary,
I have worked as hired project manager in the banking business and before getting contracted these institutes are obliged by law to do a full background check on you.
I am sure that if there where bogus links on my (personal) website found in Google, I would never be hired as my background check would fail.