extensions.Siliana.com

sh404SEF version 1.3 RC - Release notes - November 17, 2007

This version has many changes, not possible to list them all. Here are the key points :
 

1 - added security layer to sh404SEF.

As every URL goes through it, it will reject suspicious ones. The checks are as follow:
- presence of a mosConfig_xxx variable
- presence of a <scrip> command
- presence of base64_encode command
- presence of txt files associated with jpg or similar files
- check that variables are numeric only (the variable list is set in backend, comes with a predefined list)
- check that variables are alpha-numeric only (the variable list is set in backend, comes with a predefined list)
- check that variables do not contain http:// or ftp:// (the variable list is set in backend, comes with a predefined list)
- check incoming IP (white list/ black list set in backend, can have wildcards like 80.89.90.*)
- check incoming UserAgent string ((white list/black list set in backend)
- anti-flooding system : check number of requests from same IP in a given time period (count and period set in backend, applied on all requests,or only on requests with POST data - ie : forms : protect against spam robots
- optional checkup of incoming IP with Project Honey Pot (a free, real-time database of known spammers and attackers IP address)

This protection is applied on SEF URL, Joomla SEF URL and Joomla standard URL. Attacks are logged, and kept for a user set number of month. Failure to one of this test results in a 403 page being displayed. On some tests, the 403 page has a javascript link embedded so that false positive (ie - humans) can still access the requested page. This is useful for Project Honey Pot, which may have false positive (I think).
 
I am no security specialist, but I have tried to include the basic tests and a bit more. Feedback is very much welcomed on this part, which is the newest. The idea comes from the fact that many people are now using sh404SEF without .htaccess, and they can't take advantage of the basic security features Joomla team included in their .htaccess in recent versions of Joomla. That, plus IP control, anti-flooding should help. I am very happy also with Project Honey Pot, which seems not to slow down sites when checking IP, and I believe can be of great help.
 

2 - SEO improvements

ShCustomtags has been improved. In addition to managing page title and meta tags as it already does, it will now :
- add "nofollow" tags to PDF and Print links generated by Joomla, in order to avoid duplicate content penalties
- insert article titles in Read more.. links (they'll be like "Read more ...[How to make a plugin for Joomla in 3 minutes]"). A title attribute is also added to the <a> tag
- multiple h1 tags are now avoided : if set to insert h1 tags around article titles, the module will check if there is more than one. if so, each tags will be turned into a h2 tag instead
This being done by the module, it does not require any hacking of Joomla files of course
 
3 - Multi-lingual sites :
- moved all language related params under one unique tab
- whether url should be translated and/or language code added is now set on a per language basis. Adding a language code is now allowed also for default language, so that sites in non-latin characters languages can work properly
- pagination text is now language dependent (Page-2.html in English, Pagina-2.html in Spanish for instance) 

4 - Other:

- control panel has now two-levels : default display shows only main parameters, extended display shows full set of params. One can switch from simple to extended with a link on the main control panel - added possibility to manually set a component prefix, if you want to have all links to a given components to start with /my_prefix/... , you can do it now for all components installed. Useful for backward compatibility coming from SEFADvanced/Open SEF which need a prefix to identify components. Preferred option with sh404SEF is still not to use any prefix
- added (rough) possibility to have a simple html 404 page. If a html file called 404-Not-Found.tpl.html exists in /components/com_sef, it will be used instead of loading the full Joomla template, etc. I provide a sample html file. You can insert %sh404SEF_404_URL%, %sh404SEF_404_SITE_URL% and %sh404SEF_404_SITE_NAME% tags in this file, they will be replaced by the missing page URL, the site root URL and the site name respectively, before the 404 page is displayed. Some people with heavily loaded servers requested this, as a mean to reduce server load.
- worked on mambo 4.6.2 compatibility. Seems to work pretty well, except for multi-lingual capability, where nokkaew seems at the moment not to allow all that Joomfish can do in terms of translating URL. It means that translating URL should not work properly, but simply inserting a language code should allow multi-lingual operation.
- Russian language file is now encoded to CP-1251, and Hungarian files are now ISO-8859-2. Of course, all mambo files are UTF-8
- many bug fixes of course

5 - IMPORTANT : using JOOMFISH 1.8.x

Joomfish has changed the way it uses database fields. From version 1.8, it has now a "short code" for each language, and sh404SEF, to maintain backward compatibility with version 1.7 of Joomfish, will use this field. So you MUST check Joomfish config as follow :
- go to Joomfish menu, Languages sub-menu
- Look at the "Short code" column, and make sure there is a value for each language you will use. What you enter here will be used in sh404SEF. For instance, you should put there en for English, es for Spanish, etc 

Hello,

This morning, after some users reported hacking of their site, the log files they supplied led me to the discovery of a vulnerability in version 1.2.4. t, u and w of my URL rewriting component, sh404SEF. Under a particular set of circumstances, remote code execution was possible. I apologize for the initial error in code which allowed this, and to the webmasters that suffered hacking due to this vulnerability.

I have uploaded some fixed files on Joomlacode .

Here are the details :

A - If you are using version up to and including 1.2.4.s, there is no vulnerability, and you don't need to take any action

B - If you are using version 1.2.4.t or version 1.2.4.u, you need to patch your site : 

C - if you are using version 1.2.4.w, you can either patch your site, or uninstall/re-install new version w2

Patching your site : 

Installing new version : 

    All settings and data will be preserved in this process

Very soon I'll be releasing next version of sh404SEF, which has a set of security features to avoid this kind of issues as much as possible, not only in sh404SEF, but in other Joomla extensions.

In the mean time, I hope damages will be limited. I'll be available as much as can be at http:/:extensions.siliana.net to assist you in the upgrade process if needed.

Your sincerely  

shumisha

Hi all,

This site has been unavailable for the last few hours, again! My hoster, Bluehost, has suspended my account, as they have detected, again, "phishing" sites activity from my webspace. This time I had access to the FTP logs, and I realized hackers had full FTP access, meaning they knew my password (which obviously is not available on the site)!

It pleased me, sort of, as it means Joomla and Mediawiki are not involved in the security breach. Bluehost suggested that my password could have been "sniffed" from the outside. Kinda difficult to swallow, as I had changed it after the first episode. Anyway, I'll be using Secure FTP from now on, so I should be pretty safe.

Hopefullly, I am through with this. Coupled with my changing of programming environnment, sh404SEF has not evolved during the last week, while there is still much to do!

Cheers!

Hello all,

Two good pages on SEO matters from Danny Sullivan :

• Top ten myths in organic SEO (Search Engine optimization)
• On using (or not) the keywords META

Have a good read!