Affiliate Spammers can exploit/abuse the proxy function too easily

Alpha1

Alpha1

Well-known member
Affected version
2.3.9
Spammers are heavily abusing the proxy.php function. I have 40K malicious links like this in my Google Search Console:
proxy.php?link=spamlinkhere
proxy.php?aff-xxxx&link=spamlinkhere
None of these links exist on my website, so these are malicious backlinks to proxy.php to use my site to promote spam sites and affiliate links.
This affects crawl budget and may affect site authority and ranking. proxy.php can also drain server resources.

Suggested solution: add a setting to block proxy.php for guests.

Please also see these related threads:
www.xendach.de

XF1+2 - Spamlinks durch externe Verweise mit der proxy.php von xenforo

Google zeigt mir gerade in der Search Console tausende Linkfehler, die aber nicht direkt bei mir sind, sondern durch externe Seiten kommen, die aber auf meine proxy.php verweisen. Ein Link sieht dann extern so aus...
www.xendach.de www.xendach.de
K

Thread 'Image proxy always returns status code 200'

No matter if an image exists or not and if the hash (if required) is correct or not - the image proxy always returns status 200.

This is IMHO semantically wrong and Google seems to consider such URLs as "soft 404".

Suggested Change
Return 404 if no image exists (or 410 it it existed in the past but was pruned)
Return 400 (or 403) if a required hash is missing or wrong
  • Like
K

Thread 'Image proxy can be abused too easily'

Steps to reproduce
  1. Configure a proxy secret
  2. Start a new post
  3. Insert an external image
  4. Click preview
  5. Copy the generated image URL
Result
The generated proxy.php URL can now be used externally forever until the secret is changed without the image ever being displayed anywhere publically in XenForo

Suggested Mitigation
Make the hashes automatically expire after a configurable expire time
  • Like
 
Back
Top Bottom