Title: Odd behavior – any security risks? Last modified: August 19, 2016 --- # Odd behavior – any security risks? * [baruch60610](https://wordpress.org/support/users/baruch60610/) * (@baruch60610) * [18 years, 4 months ago](https://wordpress.org/support/topic/odd-behavior-any-security-risks/) * I found that when I have a link to my blog, e.g.: * [http://www.example.com/blog/?http://some-other-site.com](http://www.example.com/blog/?http://some-other-site.com) * anything after the question mark is accepted and will lead to the blog’s front page. In fact, it appears that any link of the form: * [http://example.com/blog/?p=1234?anything-at-all](http://example.com/blog/?p=1234?anything-at-all) * the text after the final question mark is ignored, and the link simply brings you to the page referred to by p=1234. * I find this behavior puzzling and mildly unsettling. It looks like it’s a bug that silently tries to “do the right thing” and ignore meaningless text, if the first part of the link is OK. Is that a good idea? * Second, I found several such links in my log files, where the part after the question mark pointed to another Website. * Does anyone have any insight into this, and should I be concerned? Thanks. Viewing 3 replies - 1 through 3 (of 3 total) * [Kafkaesqui](https://wordpress.org/support/users/kafkaesqui/) * (@kafkaesqui) * [18 years, 4 months ago](https://wordpress.org/support/topic/odd-behavior-any-security-risks/#post-691628) * Why wouldn’t this behavior be a good idea? The purpose of `?` in your url is to pass a query. But the query must specify something — either a defined key or key=value pairing recognized by the underlying software run on your site. Otherwise it’s useless and (typically should be) ignored by it. So this: * `?http://some-other-site.com` * is pretty meaningless to a WordPress site, unlike: * `?p=1234` * Also note with: * `?p=1234?anything-at-all` * the second query component: `?anything-at-all`, would be ignored as it’s invalid. A normal query with one or more additional key/key=value pairs would use the `&` operator. * Thread Starter [baruch60610](https://wordpress.org/support/users/baruch60610/) * (@baruch60610) * [18 years, 4 months ago](https://wordpress.org/support/topic/odd-behavior-any-security-risks/#post-692021) * Just because I can’t think of a way to exploit this quirk, doesn’t mean someone else couldn’t do it. * How difficult would it be to give an error when the query is invalid, instead of ignoring it? And would it be worth the effort? I don’t know the answers to these questions. * In general, however, it seems that many exploits *have* been possible as a result of seemingly innocent quirks. And I am getting really bizarre “queries” involving highly specific addresses that make me wonder whether there is something other than a chance error of some sort. * [Kafkaesqui](https://wordpress.org/support/users/kafkaesqui/) * (@kafkaesqui) * [18 years, 4 months ago](https://wordpress.org/support/topic/odd-behavior-any-security-risks/#post-692022) * “_Just because I can’t think of a way to exploit this quirk, doesn’t mean someone else couldn’t do it._“ * Couldn’t you say that about… well, almost anything? * “_How difficult would it be to give an error when the query is invalid, instead of ignoring it?_“ * Note you originally brought up invalid queries that are invalid not because they are broken or misused, but because WordPress will not recognize them. I can pass: * ?funk=wagnalls * as a string suffixed to my site’s url. This is just a ‘get’ query waiting for something to parse it and understand it, and unless something does and can (which WordPress normally would not), it would be beyond difficult to make use of it for some sort of ‘exploit,’ or to pass some sort of error based on it. * There’s nothing wrong with being concerned over areas of security leakage like this in WordPress, especially when passing query strings and the like, but keep in mind you can only break through a back door* that exists, not one that doesn’t. * * And hopefully set off some alarms. `:)` Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Odd behavior – any security risks?’ is closed to new replies. ## Tags * [exploit](https://wordpress.org/support/topic-tag/exploit/) * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 3 replies * 2 participants * Last reply from: [Kafkaesqui](https://wordpress.org/support/users/kafkaesqui/) * Last activity: [18 years, 4 months ago](https://wordpress.org/support/topic/odd-behavior-any-security-risks/#post-692022) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics