In Joomla 3 if you are using the modern router then this doesnt happen
In Joomla 4 the modern router is enabled by default and this doesn't happen

@brianteeman correct, not everybody will use the modern router as that will require redirects. So the issue is there and will be there for as long as using the 'legacy' router is an option.

The fix is to not use the legacy router

The workaround is to set up redirect for every category / article combination to the URL without the numbers and then to set the modern router. Unfortunately that is not an option for every site.

So you have two working solutions but you dont want to use either of them :(

because they are not options in all cases. if you have e.g. a site with 90k articles over 2k categories that will just not work. Its like being able to walk barefoot so you are also able to walk to the top of mount Everest barefoot ;)

I sent you a DM with an expample on twitter as I didn't want to rune the rep of this big Joomla government site... not that I think you need convincing :)

1. I dont accept dm messages
2. I know the situation exists
3. the solution is as I described
4. doesnt mean its easy

You can make a plugin that doing extra check for that case ?
onContentBeforeDisplay (with context check if ($context === 'com_content.article')) should be okay,

Because it is "legacy" issue, I don't think it worth to spend a time on it.

@Fedik Thanks for the suggestion and I understand that this can be 'worked-around' with additional checks and db lookups, but that will be a performance ht.
IMO it would be better to have an option where I as a site owner can toggle this behavior: toggle on (default), as it is now, toggle off, match both id and alias else 404

This isn't perceived as an issue as most people do not have an issue until they find out they do have (as with my customer).
So part of the solution is to also 'educate' Joomla users in this risk of using the legacy router (joomla 3) or switching of the removal of the article id in Joomla 4. And as said, once hit with these (spam / abuse) URLs in your search results it is almost impossible to get rid of them (other then completely removing your site from google and restart)

with additional checks and db lookups, but that will be a performance ht.

Please look the event I suggested onContentBeforeDisplay, you do not need DB lookup.

You will have function onContentBeforeDisplay($context, $article), where $article holds both ID and Alias, that you can compare to current request.

This issue as old as Joomla exists.
Switching to "new router" will fix the issue, as @brianteeman already wrote.

After discussion with @zero-24 via mail, I rolled up my sleeves and did a non B/C breaking change for this issue #32500 32500

closing as we have a pr to test #32500

reopening as #32500 is closed

in the meantime:
"I think your website was hacked....I was searching for a .... article and found some really bad page URLs.

Just go to Google and search on this, with quotes around it:
"https://www....../"

I see 29 results; but if you click on the pages they do look like legit content....but check out the ends of the URLs! Awful stuff! I suspect maybe at some point in the past you got hacked, addressed it, but didn't handle these URLs. If you have not set up Google Search Console, make sure you do and check that section where Google tells you whether or not you've been hacked."

This should be closed. You have a fix already. Nothing is going to change by closing your fix.

usually i try to reopen an issue when the relative pr is closed
...even if i don't like ?

I closed the pr because it takes the attention away from this (real) underlying issue. The question is: is there an issue? When looking at the urgency of the pr, there isn't... So back to the initial issue at hand.
In the meantime I will be patching sites manually, just as I did for the person who forwarded me the mail his customer send ( the one I quoted above).

@alikon my comment was not addressed at you.

As a follow up to the conclusions stated above: "this is a legacy issue" and "the fix is to not use the legacy router" it isn't.
This is also an issue with the modern router. So switching to the new router is not fixing this vulnerability.
Select the modern router and set it to not remove the article id's.
Both J3 and J4 are affected by this.

as a side.. Joomla.org is effected by this :-)

https://www.joomla.org/announcements/BLAHBLAHBLAHBLAHBLAHBLAH/5834-BLAHBLAHBLAHBLAHBLAHBLAH

as a side.. Joomla.org is effected by this :-)

https://www.joomla.org/announcements/BLAHBLAHBLAHBLAHBLAHBLAH/5834-BLAHBLAHBLAHBLAHBLAHBLAH

All Joomla sites with legacy and / or modern router are affected, both Joomla 3 and 4!. Only way to get rid of this feature is to switch of the article ID via the modern router, but that is not always an option as you can understand, especially those with large number of articles

Incoming PR #32879 Please review, and test the hell out of it.

So #32879 and #32880 tried to address this - and came up against opposition. Its clear people dont want this fixed.

Just catching up on this, thanks @PhilETaylor for taking the time to put your time and effort in it. Opposition is IMO a good thing, as it tends to get the best out of us by getting better and more insights. I for some of those reasons closed my J4 PR #32500 (a different approach, but it stranded in me doing a lot of 'cosmetic' changes without getting any other follow up / response)

I strongly feel this should be labeled as a show stopper for J4, but that is not up to me to decide. Maybe @wilsonge can shed a light?

I have a strong feeling that this is one of those bugs not getting solved for the obvious reasons where later on you get that 'I told you so' feeling. No body gets hacked, nobodies site will get a DDOS... until they do. My customer also asks me why somebody would take the time to target him this way... maybe just because it is possible, who knows...

My final contribution then is #32887 which is b/c compatible and has configuration to allow a 404 or redirect or b/c off mode.

However, as stated, its got little to no chance of ever being merged to Joomla 3.

closing as we have a pr #32887

Unfortunately the PR was rejected by the maintainers (as is their right) therefore this issue will remain in Joomla 3 forever.

closing as we have a pr #32887

@alikon this PR was rejected, so this issue should be reopened

There is no point re-opening this.

The Joomla 3 maintainers have already made their decision never to accept this fix for Joomla 3.

HLeithner commented - Thanks @PhilETaylor but I don't see this in j3 and as alreadys said no new features for j3

The only remaining issue, that remains for Joomla 4, is listed in the issue #32880

ah ok #32880 for j4