Using .htaccess files to block exploit attempts

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Using .htaccess files to block exploit attempts

Post by RobS » Sun Jul 09, 2006 12:14 am

Alright, so there are a lot of noticeable trends in how people exploit Joomla websites and I have seen a lot of simple mod_rewrite configurations that attempt to address this issue but in my opinion they were often to vague and could easily cause problems with the sites normal functions. Hence, I have tried to hash out a set of mod_rewrite conditions that you can tag onto the end of your .htaccess files that will hopefully block out a good number of the common exploit attempts while interferring as little as possible with legitimate usage.

Keep in mind, this is just a trial script I have not had a whole lot of time to test it. You will know it is working correctly/incorrectly if you get forwarded to your home page and receive a 403 Forbidden error.

Append to .htaccess in the same directory as your index.php file.

Code: Select all

########## Begin - Rewrite rules to block out some common exploits
#                              
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
# 
########## End - Rewrite rules to block out some common exploits
* Edited last line as the F option is compatible with more versions of Apache than R=403 *
* Edited to include conditions to match recent com_simpleboard and com_extcalendar exploits *
* Edited to remove the conditions that matched com_simpleboard and com_extcalendar specifically *
* Last updated on August 2, 2006 1:35 AM PDT (UTC -8:00) *

I am of course open to comments and suggestions. Your site should still be very usable with this code in place because of how specific I have tried to make the conditions. For example, it will not block out a search string that includes GLOBALS, only one that includes something to the effect of GLOBALS=... or GLOBALS[... or GLOBALS = (URL encoded space, etc)..

It attempts to deal with exploit attempts that try and set _REQUEST variables or GLOBAL variables as well as those that use XSS vulnerabilities and include javascripts with in the URL. It also attempts to block any script trying to assign a value to a mosConfig value and scripts that try and base64_encode information to pass it through the URL.

If this breaks some feature of your site, just comment out the rules by placing a # in front of them and everything should go back to normal. Let me know what you were doing and copy the URL and save it and I will try and work through it and figure out a way to allow the legitimate requests.

Hope it helps some of you guys worried about your sites security.

This thread has been split in order to help keep the forum cleaned up. Please discuss this topic here:
http://forum.joomla.org/index.php/topic ... #msg388696
Last edited by RobS on Wed Aug 02, 2006 8:40 am, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: Using .htaccess files to block exploit attempts

Post by stingrey » Mon Aug 28, 2006 4:23 pm

These simple but effective htaccess blocking rules are now part of the default .htaccess file in 1.0.11

Highly encourage those using an older .htaccess add this to their file.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D


Locked

Return to “Security - 1.0.x”