Change font size Change Width
Advanced Search
 

Joomla! Discussion Forums



It is currently Thu Nov 26, 2009 8:44 pm (All times are UTC )

 

Board index » Other Forums » The Lounge » Archived Boards - All boards closed » FAQ Archive



Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Print view Previous topic | Next topic 
Author Message
rliskey
Posted: Sat Oct 07, 2006 2:56 am 
User avatar
Joomla! Guru
Joomla! Guru
Offline

Joined: Tue Jun 06, 2006 7:41 am
Posts: 808
Location: Third planet from Sol
Introduction
RobS created a set of mod_rewrite conditions (below) that you can tag onto the end of your .htaccess file. These conditions will block a good number of common exploit attempts while interferring as little as possible with legitimate usage.

Each server configuration is unique. If you are forwarded to your home page and receive a 403 Forbidden error, you will know these settings worked incorrectly on your site. If a particular rule breaks some feature of your site, just comment it out by placing a # in front of the offending rule.

Note: As of Joomla! version 1.0.11, these settings are included in the file, htaccess.txt (no dot in filename) which is automatically added to your site during the Joomla! install.

Directions
1. Append the following code to the .htaccess file in the same directory as your Joomla! index.php file (often your public_html directory).
2. Test your site.
3. If the site produces errors, comment out all of these lines, and uncomment and test one line at a time until you find the problem directive(s).
4. Try to tweak these directives to work on your server, or leave them commented out.

Code:
########## Begin - Rewrite rules to block out some common exploits
#                             
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits


More Information
  • Help finding or creating your .htaccess file is here.
  • Good background information on Apache mod rewrite is on Wikipedia.
    Discuss this FAQ here.

Back to Security FAQ Table of Contents

Keywords: security, htaccess, .htaccess, rewrite, mod rewrite, modrewrite

_________________
Web Home: http://www.ronliskey.com
Support http://support.educationgrove.com

Last edited by rliskey on Mon Feb 26, 2007 8:08 am, edited 1 time in total.

Top
  E-mail  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Quick reply

 


Board index » Other Forums » The Lounge » Archived Boards - All boards closed » FAQ Archive

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
 
 
 
 
 

© 2005-2009 Open Source Matters, Inc. All rights reserved. Joomla hosting by Rochen Ltd.