What does the hack attack notification say? It may have been emailed to admins, otherwise can be found in the Admin Zone > Audit > Security > Security logging
This seems like a terrible bug. I have done a code analysis, and I think it could be happening, but only if the user clicking the link is logged in, which at least mitigates things slightly. I think the security report would say "A POST request by an authenticated member was made from an external website"
Automated response: Links from external domains clicked by logged in users, generate false-positive hack-attempt alert
A nasty bug got into the input filter changes in 9.0.17, and continued in 9.0.18.
Composr blocks form posting from external sites; however this filter is running when Composr picks up a default value internally-defined against a potentially-posted parameter, rather than only for an actually-posted parameter. This means that logged-in users clicking a link from an external domain name, get a suspect-hack-attempt notice.
9.0.18 has now been re-released due to this serious issue. We will continue to have this hot-fix against 9.0.18 for the benefit of users who upgraded before we re-released. This hot-fix is the only difference between the original version, and the re-release.
By Guest,
By Guest,
posted
Thanks Chris. The hotfix worked on my end and now all the external links to the website are working properly. Thanks for pulling the patch together. Resolution of issue confirmed.
The hotfix worked for me as well, however I have doubts the code pushed correctly to 9.0.18 . I was aware of this issue, and was aware you resolved it and attempted to re-release 9.0.18 with it. And at the time I have not upgraded yet. However after upgrading to 9.0.18 , someone got a hack message for doing just this, and I had to apply the hotfix.
Thanks for letting me know. I have just fixed our upgrader generator system to auto-expire pre-built upgrade packages if a re-release happens. Sorry about that, I hadn't considered it.
A nasty bug got into the input filter changes in 9.0.17, and continued in 9.0.18.
Composr blocks form posting from external sites; however this filter is running when Composr picks up a default value internally-defined against a potentially-posted parameter, rather than only for an actually-posted parameter. This means that logged-in users clicking a link from an external domain name, get a suspect-hack-attempt notice.