Serendipity Forums

The "Track exits" Markup plugin has a couple different options how to track the URL. One of them is "Serendipity Exit-Tracking Routing". When this option is activated, the variable $open_redir in exit.php is true, which in turn will redirect the user to any URL specified as ?url= parameter.

There is a comment in exit.php about spamming attacks (around line 27) when the ?url parameter is used, but still any URL is accepted in this part of the code.

If the "Track exits" option is enabled, anyone can use this to make it appear like a link is on the targeted website, example (not working, because tracking is off): This is typically (ab)used by spammers/scammers to make users believe that a link is more trustworthy.

Serendipity should be using $url_id and $entry_id everywhere, no need to use $url at all.

Hi
Isn't the ability to wrap a random url kind of the core of the plugin? But in general it sounds reasonable to closely look at that functionality. The plugin hasn't seen maintenance in a long while now. It could use a maintainer :)

All tracked URLs in my Blog(s) have an ID, and are not specified as $url parameter. However I see a couple spammers trying to abuse this functionality (however I have no idea why the blog suddenly is trustworthy to anyone). They are probably just trying to hide some nasty URLs.

And no, I don't think wrapping any kind of URL is a core functionality, if the URLs from blog postings are tracked by ID.

I think we are missing something there. Okay, for internal links the url paramter seems unnecessary. But I think the url parameter is for external link. And as far as I understand the code that's called at https://github.com/s9y/additional_plugi ... #L148-L152 the plugin is not limiting its link replacement to internal links.

My hoster complained because of high serverload in my hosting. There were many calls on . serendipity_event_trackexits was yet disabled, so I removed it from backend and deleted the folder via FTP. But is still reachable. Can the file be deleted (even that it is part of the core) or what can I do?

Looking at the code, I think the file can be deleted. I see nothing that relies on it in the core.

There is some code though in there that aims to make the file less dangerous, basically inert if the trackexit plugin does not exist.

You can also tell them to go straight away with a 403 forbidden code (which doesn't even need a page generation) by adding to .htaccess
If your blog is not on the (sub)domain's document root then adjust =/exit.php to =/path/exit.php

If Track Exits was actually to be used then an additional condition

RewriteCond %{QUERY_STRING} ^url= [NC,NV]

would only kick out all /exit.php?url=... queries, or other matches on specific query string content could be used.