We are an Ethical SEO company providing Joomla Web Design

SerrBizSEF Available Again 3-20-08

The other day we suspended SerrBizSEF due to a perceived hack.  Upon research, we discovered it was NOT A Hack.  The system is SAFE.

However, let us explain what is happening.

First, the issue should more accurately be described as SEF Spam.  It only affects sites that also utilize Forms LT.

Forms LT allows for adding tracking codes to SEFS.  For example, /myform.html?sbflt=trackingcode1

To accommodate multiple tracking codes, and clean sef url redirects, we made an adjustment to the frontpage component rule in SerrBizSEF to record any request with a ?var string.

This is good for legitimate tracking codes tied to the Forms LT forms.

However, if some one attaches their own ?var which does not correspond with a legitimate Forms LT tracking code, then it to is recorded and SerrBizSEF tries to create an SEF. This bogus SEF it is displayed in the SEF URL control panel of SerrBizSEF.

Though annoying, it is NOT A SECURITY risk.

Given that spammers and hackers are always trying to bring down websites, and utilize refer spam to increase link popularity via public log files displays, all sites are subject to low level attacks such as ?var string requests.  Most webmasters never notice as the request will just produce an error, or be ignored, and never be seen unless the webmaster happens to check their log files.

In the case of webmasters using SerrBizSEF and Forms LT, the requests can be seen in SerrBizSEF control panel.

Now, not all such case of tracking codes are bogus or of malicious intent.  Google Adwords will automatically attach a variable sting to your ad campaign destination URL so you can utilize Google analytics and conversion tracking.  Their tracking code looks like this:

?gclid=CLnJloG6kJICFQIgPAodOgnMjg&gclid=CLnJloG6kJICFQIgPAodOgnMjg

In its default state, Joomla 1.0 simply ignores that data and does nothing with it.  SerrBizSEF, when Forms LT is installed, will record it.

As a solution, we considered making FORMS LT check to see if such var strings are tied to any form, but the extra database queries slowed down Forms LT functionality significantly.  This is not a good solution as most tracking codes are tied to paid advertisement, and the last thing you want is a slow loading page when the click is paid.

Since the spam / bogus SEF pose NO SECURITY risk, and simply take up space in the SerrBiz SEF database table, we have decided to create a new function called SEF Purge.

SEF Purge will automatically purge the SEF table of bogus sefs caused by spammers sending requests with variable strings.

Purge will also have a manual override function so the webmaster can execute at will.

In the meantime, we have reactivated the downloads for SerrBizSEF and other components.

However, in the process of tracking down the issue, we purged the system of all existing orders, and users.  So, you will need to create a new user account.

If you utilize SerrBiz Forms LT, and have bogus SEF recorded, you can manually purge the tables via your php admin control panel until we have the new purge function ready.