- in Xaraya Project Gets a New Look on February 25, 2009 08:33 PM
- in You can blame me this week on February 25, 2009 03:36 PM
- in You can blame me this week on February 25, 2009 02:00 PM
- in Not done one of these in a while on February 14, 2009 11:26 PM
- in Xaraya Search Module: Last X Searches exploit on February 09, 2009 12:52 AM
St.Ego posted this warning on the dev mailing list.
- St.Ego wrote...
-
It has come to my attention that the Search module feature to show the
last 10 searches has become the subject of automated submission,
potentially to draw traffic and/or SEO rankings to other sites.The automated attack takes the form of submitting URLs to the search
module so that they show up in the Last Searches, when displayed.The domain names so entered do not seem to be linked to correctly, just
refreshing the page if clicked on, as they should, but that hasn't
stopped them from being placed repeatedly.I recommend that everyone check your sites to verify if this feature is
on and if it is being abused.Heads-up, FYI and all that...
-St.Ego
I don't use the search module, but have had issues with this particular 'feature' in the past, mainly because users didn't like the searches they made revealed in this way. Typical that the spam bots would find a use for it, anyway, heads-up and FYI as St.Ego said. Let's be careful out there!
comments
Xaraya Search Module: Last X Searches exploit
Maybe there should be an option to turn this off.
Also maybe it would be good to not have search's public ever and rather have an option to have a search history (only viewable by the user) and maybe after enough data is collected have a "Top Search Items" section.
Xaraya Search Module: Last X Searches exploit
Turning it off is a quick template edit away ;) - providing config options for such things would be nice though.
The last 10 searched items isn't as sophisticated as collecting data on the searches and storing in a db table. It just maintains the last 10 searches, stored in a module var, very basic functionality. It doesn't lend itself to a top search items lookup in a useful way at all.
Xaraya Search Module: Last X Searches exploit
use the permissions to restrict search to the users that are logged in if that is ok for your site. That's what i did.
Xaraya Search Module: Last X Searches exploit
He could do that but seems like a simple setting would be easier.
