Alright, so there are a lot of noticeable trends in how people exploit Joomla websites and I have seen a lot of simple mod_rewrite configurations that attempt to address this issue but in my opinion they were often to vague and could easily cause problems with the sites normal functions. Hence, I have tried to hash out a set of mod_rewrite conditions that you can tag onto the end of your .htaccess files that will hopefully block out a good number of the common exploit attempts while interferring as little as possible with legitimate usage.
Keep in mind, this is just a trial script I have not had a whole lot of time to test it. You will know it is working correctly/incorrectly if you get forwarded to your home page and receive a 403 Forbidden error.
Append to .htaccess in the same directory as your index.php file.
* Edited last line as the F option is compatible with more versions of Apache than R=403 *
* Edited to include conditions to match recent com_simpleboard and com_extcalendar exploits *
* Edited to remove the conditions that matched com_simpleboard and com_extcalendar specifically *
* Last updated on August 2, 2006 1:35 AM PDT (UTC -8:00) *
I am of course open to comments and suggestions. Your site should still be very usable with this code in place because of how specific I have tried to make the conditions. For example, it will not block out a search string that includes GLOBALS, only one that includes something to the effect of GLOBALS=... or GLOBALS[... or GLOBALS = (URL encoded space, etc)..
It attempts to deal with exploit attempts that try and set _REQUEST variables or GLOBAL variables as well as those that use XSS vulnerabilities and include javascripts with in the URL. It also attempts to block any script trying to assign a value to a mosConfig value and scripts that try and base64_encode information to pass it through the URL.
If this breaks some feature of your site, just comment out the rules by placing a # in front of them and everything should go back to normal. Let me know what you were doing and copy the URL and save it and I will try and work through it and figure out a way to allow the legitimate requests.
Hope it helps some of you guys worried about your sites security.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment