Discussion for: Using .htaccess files to block exploit attempts

infograf768 · **Posted:** Wed Jul 12, 2006 5:24 am

friesengeist wrote:

@everyone:
Edit the file /globals.php. Change line 17 from:

Code:

define( 'RG_EMULATION', 1 );

to:

Code:

define( 'RG_EMULATION', 0 );

This won't break Joomla! core components, but might break 3PD components.

I have done that since the start of this series of attacks.

I guess 3pd components breaking should be rewritten.
Would be good to have a list of those.

RobS · **Posted:** Wed Jul 12, 2006 5:46 am

Elpie wrote:

Joomlamahesh wrote:

When I make certain changes like to my .htaccess file, for incorrect settings, it gives me 500 Internal Server error. Does that mean my .htaccess is working properly ?

Not necessarily.
A 500 server error means one of two things - either the directive you have entered has a mistake in the syntax (that is, an error in the way it was written) OR your host has not permitted certain directives to be run in .htaccess.

There are differences between Apache 1.x and Apache 2.x that require directives to be handled a little differently, so knowing which version of Apache is running is important too.

Much depends on the way a host sets AllowOverrides in the server settings (getting errors is actually a good sign as it tells us that your host allows at least some directives to be written in .htaccess).

I am not trying to direct traffic to my site, but there is a Guide to .htaccess in the FAQ's at Mambo Guru (use the forum link in my sig) that may help explain all this. I will talk to the mods here about posting this as a FAQ on Joomla.

In Apache 2.x, if you try to override a directive set in httpd.conf with an .htaccess file and AllowOverride is not set to allow for that override it will give you an error 500 message.

So, if you misspell a directive in your .htaccess file or it is a directive that Apache will not allow to be overwritten, you will receive an error 500 message, in Apache 2.x at least.

For my AllowOverride configuration I use "AllowOverride AuthConfig Options FileInfo" which allows for SEF, password protection, and other pretty standard features.

@Elpie,
I currently don't have access to an Apache 1.3.x system, could you check if this is the case so we could know for sure?

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

Yes, Rob, the same applies to Apache 1.x as well.

In Apache 2.x the php_flags directive doesn't work for setting register_globals off, so you need to use:

Code:

php_value register_globals 0

Note: you cant use on/off, you MUST use 0/1 if running on an Apache 2.x system.
With some Apache 2.x setups you also need to use the system for the directives to work - again, that depends on how your host sets up the AllowOverrides.

And, of course, if a host is using AllowOverrides None, then Apache completely ignores .htaccess files and the user has no idea that they are not working

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

So many people are trying to switch register_globals OFF using .htaccess - well, I have a tip for you...

[size=100]ASK YOUR HOSTS TO TURN REGISTER_GLOBALS OFF SERVER-WIDE[/size]

Hosts have been reluctant to do this, simply because it can break some scripts. Well, most well-written scripts these days don't need globals anymore.

Some hosts don't turn them off because they say their customers are not requesting register_globals OFF.
So, I am issuing a challenge - every single one of us that wants globals off should ask their hosts to do this. If a host says, "No" to you, they may rethink if they get 100 customers asking the same thing!

There are over 43,000 on this forum and many more Joomla users out there who havent registered on the forum - what a terrific impact we could have on security if we all said, "please Mr Host, we want register_globals OFF".
Just a thought

absalom · **Posted:** Wed Jul 12, 2006 6:06 am

This may sound like a real dumb, crazy or just plain stupid idea..

People really need a CMS that actively / heuristically defends itself against attacks. Now you take something like Wordpress and the fact it can manage .htaccess for you, combine that with say a "secure" heurestic protocol that figures out an XSS attack is happening (maybe compare URI to SEF algorithm), and then generates and builds the .htaccess to accomodate? (Anti-virus for a CMS?)

I've been unravelling the dangers of XSS based hacks on a few other content management systems outside Mambo and Joomla over the last few months and it kinda struck me what needs to be done.

Elpie · **Joined:** Wed Aug 17, 2005 11:26 pm **Posts:** 869

Not dumb Absalom. Let's explore the idea further (perhaps elsewhere?) as there are already moves underway for a security component

RobS · **Posted:** Wed Jul 12, 2006 6:13 am

I agree, that is something worth looking into. Perhaps you could start a new thread with your ideas relating to the subject? I imagine the security forum would be a good place to discuss this specific feature.

Joomlamahesh · **Posted:** Wed Jul 12, 2006 7:10 am

Elpie wrote:

[size=100]ASK YOUR HOSTS TO TURN REGISTER_GLOBALS OFF SERVER-WIDE[/size]

I asked my hosts to turn the Register Global = OFF , explaining them the need to do serverwide setting, for which they immediately agreed and changed the RG to OFF. I had asked them to refer to this forum as well as to make a general search on RG. I got a prompt reply of RG=OFF.

Elpie wrote:

I am not trying to direct traffic to my site, but there is a Guide to .htaccess in the FAQ's at Mambo Guru (use the forum link in my sig) that may help explain all this. I will talk to the mods here about posting this as a FAQ on Joomla.

Gone through the guide. Pretty useful stuff.

What if I have .htaccess in root only and not in other directories ?. I have already added everything recommended on this forum to my .htaccess + RG=OFF. Is that enough to prevent another hack of my website ?

RobS · **Posted:** Wed Jul 12, 2006 7:57 am

.htaccess files work recursively so it should affect all folders below it. Saying that those changes will "prevent" the next hacking attempt would be overstating it. These changes will help prevent some possible attacks but they cannot possible prevent all attacks. There could be newly discovered vulnerabilities two months from now that are totally new and different from anything we have seen thus far and it is probably very unlikely that my .htaccess additions will prevent those. Having RG off however will definitely limit the potential for being hacked though because many small bugs can be escalated with RG on turning that small bug into a major issue. So if nothing else, it will help keep the small issues small and make it harder for attackers to turn a small bug into the next remote file inclusion vulnerability.

I will of course try and keep the rewrite rules sane and current to address the next issue we have to deal with.

tpod · **Joined:** Tue Apr 04, 2006 3:52 pm **Posts:** 8

Problem: I have implemented the .htaccess add-on, but am now unable to access other non-Joomla directories inside the root. For instance, some personal directories that I store images I want to be able to use off-site.

A couple of other non-Joomla directories I do link to within the Joomla install, and have no problem with accessing as long as I am clicking on the link within Joomla. But if I try to access them at the directory level (i.e., http://www.mydomain.com/photos/), it redirects me back to the index page.

How would I created an exception to the .htaccess to allow for access to these directories from outside of the Joomla install?

BTW, at least 23 hack attempts were made to one of my sites yesterday and I *think* all failed, if the Failed Referrer logs were to be believed. From what I've determined, the attempt was made using a known vulnerability in the phpBB component for Joomla.

Tracy

RobS · **Posted:** Wed Jul 12, 2006 5:07 pm

tpod wrote:

Problem: I have implemented the .htaccess add-on, but am now unable to access other non-Joomla directories inside the root. For instance, some personal directories that I store images I want to be able to use off-site.

A couple of other non-Joomla directories I do link to within the Joomla install, and have no problem with accessing as long as I am clicking on the link within Joomla. But if I try to access them at the directory level (i.e., http://www.mydomain.com/photos/), it redirects me back to the index page.

How would I created an exception to the .htaccess to allow for access to these directories from outside of the Joomla install?

BTW, at least 23 hack attempts were made to one of my sites yesterday and I *think* all failed, if the Failed Referrer logs were to be believed. From what I've determined, the attempt was made using a known vulnerability in the phpBB component for Joomla.

Tracy

When you are redirected back to the index page of your site after requesting http://www.yourdomain.com/photos/, does the page load correctly or are you receiving an error? I have tested accessing http://www.mydomain.com/photos/ and the rewrite rules that I wrote do not seem to be catching the request, which is the correct behavior, are you running some other type of SEF that might be causing the problem?

tpod · **Joined:** Tue Apr 04, 2006 3:52 pm **Posts:** 8

RobS wrote:

When you are redirected back to the index page of your site after requesting http://www.yourdomain.com/photos/, does the page load correctly or are you receiving an error? I have tested accessing http://www.mydomain.com/photos/ and the rewrite rules that I wrote do not seem to be catching the request, which is the correct behavior, are you running some other type of SEF that might be causing the problem?

The front page is loading with no errors when I try accessing a non-Joomla directory.

I'm using the Joomla SEF. The only third party SEF I'm using is Xaneon Alias Manager 1.0.3a.

Now, I did have this same problem when I first upgraded to Joomla! 1.0.10 stable, but was able to fix it by uncommenting the "Options FollowSymLinks" line in the new htaccess file.

Heh. Just did the opposite -- RE-COMMENTED the "Options FollowSymLinks" line and now I can view the directory.

How strange.

Thanks,

Tracy

zuze · **Posted:** Wed Jul 12, 2006 7:03 pm

Count me in as a tester!

I added your suggested code to .htaccess file and I am testing it.
So far so good.

My site was hacked on the 7-8-06 as well, through the extcalendar. After uploading Jommla patch (upgrade) I still have issues with front-end login failing after a certain time.

I will send you the link to the site, for the reference for the .htaccess file code.

zuze · **Posted:** Wed Jul 12, 2006 7:32 pm

Possibly a stupid question

, but I would really like to know:

Does these hacks hrought extcalendar affected only sites that have .htaccess file engaged and SEF turned on, or ones with regular links as well? Do you have data on this?

RobS · **Posted:** Wed Jul 12, 2006 7:57 pm

SEF does not matter for the exploit against extCalendar. Actually, the component does not even have to be published or registered as installed with Joomla, the files just have to be on the server. So if you had it and deinstalled it from Joomla, make SURE that the files are actually gone as you may still be at risk.

Gert · **Posted:** Thu Jul 13, 2006 8:21 am

How can I access the .htaccess file to see what is writtin and rewrite it.
Is there a way to do this whit my WS FTP pro?? or is it only possible to overwrite te file?

Gert

RobS · **Posted:** Thu Jul 13, 2006 8:34 am

Gert wrote:

How can I access the .htaccess file to see what is writtin and rewrite it.
Is there a way to do this whit my WS FTP pro?? or is it only possible to overwrite te file?

Gert

Gert, unless you have already renamed htaccess.txt to .htaccess there will not be an .htaccess file. I am not familiar with WS FTP pro but I imagine like other FTP clients it hides files that start with a dot. There is most likely a setting somewhere that will allow you to adjust this. Look around in the preferences and if necessary search for google as I imagine someone has probably asked this same question before. In the event that you have to manually edit the options for the commands that WS FTP uses, add the -a option to the ls command, so that it reads "ls -a", and then you should be able to see your .htaccess file if you do in fact have one. From them on you should be able to download/overwrite/chmod/etc the file if so desired.

Gert · **Posted:** Thu Jul 13, 2006 9:47 am

Thanx RobS,

I found the solution in the WS FTP forum. For someone with the same problem:

http://www.ipswitch.com/forums/shwmessa ... geid=16517

Gert

gws · **Posted:** Thu Jul 13, 2006 10:18 am

I have just used the .htccess file that you have provided on a large charity site I look after that uses extcalander as well, so far all is working as it should. I have also modified the extcalander files to use "mos or die" code. Fingers crossed all holds up. A THANK YOU for all the efforts the security team have put in to making Joomla as secure as they can.

brian · **Posted:** Thu Jul 13, 2006 10:21 am

Gert wrote:

How can I access the .htaccess file to see what is writtin and rewrite it.
Is there a way to do this whit my WS FTP pro?? or is it only possible to overwrite te file?

Gert

From the ws_ftp pro help file under hidden files

Quote:

"Displaying Only One Type of File

1 Select the site.

2 Do one of the following:
In the Classic interface, click Properties.
In the Explorer interface, select Site Properties from the File menu.
In the Find Utility, select Properties from the right mouse menu.

3 Click the Startup tab.

4 To limit the files you see to just one type, enter an asterisk and period followed by the file extension in the Local file mask and/or Remote file mask text box. For example, to display only text files, enter *.txt.

To display all files on a UNIX site including hidden (.) ones, enter -al or -la. Or, use -altr to receive file names in date sequence. (For those familiar with DOS FTP clients: You can also enter any argument string you would use with a "Dir" command.)"

The important bit is the -al

hops · **Joined:** Mon Jul 17, 2006 12:20 pm **Posts:** 1

Hi,

I get the following error when adding the .htaccess file:
IISPassword
The page cannot be displayed
There is a problem with the page youare trying to reach and it cannot be displayed. It is most likely that configuration files for this url are corrupted.

--------------------------------------------------------------------------------

Please try the following:

Click the Refresh button, or try again later.
Open the home page, and then look for links to the information you want.
If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the home page.
HTTP Error 500
IISPassword for Internet Information Services
--------------------------------------------------------------------------------

My .htaccess file look lke this:
##
# @version $Id: htaccess.txt 423 2005-10-09 18:23:50Z stingrey $
# @package Joomla
# @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##

#
# mod_rewrite in use
#

RewriteEngine On

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update YourJoomlaDirectory (just / for root)

# RewriteBase /YourJoomlaDirectory

#
# Rules
#

RewriteCond %{REQUEST_FILENAME} !\.(jpg|jpeg|gif|png|css|js|pl|txt)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [OR]
# Block out any script that includes a

Board index » Joomla! Older Version Support » Joomla! 1.0 » Security - 1.0.x

Who is online

Users browsing this forum: folo9999 and 21 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:

Joomla! Discussion Forums

Forum rules

Discussion for: Using .htaccess files to block exploit attempts

Who is online