The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 353 posts ]  Go to page Previous  1 ... 8, 9, 10, 11, 12
Author Message
PostPosted: Tue Jul 05, 2011 9:47 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jul 05, 2011 9:22 am
Posts: 5
Thanks everybody for the suggested file.

One more idea from a newbe: There is a lot of suggestions on the web to disable HTTP TRACE and TRACK methods (e.g. http://publib.boulder.ibm.com/httpserv/ ... trace.html or just google for "http trace track"), to prevent cross-side tracing attacks. Would that be something to also be added to the file?

Maybe together with HEAD and DELETE methods, as in "Other useful settings" on http://docs.joomla.org/Htaccess_examples_%28security%29 ?

Cheers!


Top
 Profile  
 
PostPosted: Tue Jul 05, 2011 11:21 pm 
Joomla! Guru
Joomla! Guru

Joined: Mon Feb 21, 2011 4:02 pm
Posts: 951
Location: UK
Yes, certainly worth considering. Thanks! The suggestions I fed back to the original author several months ago haven't been acknowledged or actioned. At some point, when I have a bit more time, I might fork the entire project and make a whole load more changes that I have noted over the last few months.

_________________
Online since 1995.


Top
 Profile  
 
PostPosted: Tue Jul 05, 2011 11:35 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
Trace is not a vulnerability in the TRACE command, or in the Apache web server. Rather it is a browser issue that can occur with certain browsers that can be scripted. The TRACE request has been blown out of proportion by the press who do not understand what they are reporting on.
This was first reported in 2003 I believe, and would probably be better served if turned off on the server and it may have been fixed within the browser in question.

I don't think most people need to be concerned greatly about the issue (personal opinion only), though it is possible a hacked site could be serving the carefully crafted pages to gain online banking credentials I suppose. I'm not saying it should be or should not be added. It probably should, though if an attacker has access to your site to insert the pages etc., they can remove it from htaccess.

For those who don't understand much about this issue, read on. The info below came from the sites I referenced below which do a better job of explaining the issue than the site posted in the above post.

When an HTTP TRACE request is sent to a web server the server will respond by echoing the data that is passed to it, including any HTTP headers. As the paper explains, some browsers can be scripted to perform a TRACE request. A browser with this functionality can be made to issue a TRACE request against an arbitrary site and pass the results on to a different place. Browsers will only send authentication details and cookies to the sites that issue them. This means a user having a browser with scripting functionality could be tricked into sending cookies or authentication details for arbitrary sites to an attacker.

For example, if you visited a site that has a page that an attacker has carefully crafted, the page could cause your browser to bounce a TRACE request against some other site for which you have authentication cookies for. The result of the TRACE will be a copy of what was sent to the site bounced against. This will include cookies and/or other authentication data from that site bounced against. The carefully crafted page from the site that was attacked can then pass that information on to the attacker.

The same browser functionality that permits the published TRACE attack can be used for different attacks even if TRACE is disabled on the remote web server. For example an attacker could again create a carefully crafted page that when visited submits a hidden request to some arbitrary site through your browser, grabs the result and passes it to the attacker.

Reference:
In the news, Cross-Site Tracing issues
http://www.apacheweek.com/issues/03-01-24#news

WhitePaper, TRACE Request Method
http://www.cgisecurity.com/whitehat-mir ... _ebook.pdf

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Wed Jul 06, 2011 10:47 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jul 06, 2011 3:05 am
Posts: 5
leolam,

I realize this post in months old. However, I just joined this forum and found it. Thanks for the info, and the link to the htaccess file. Been looking for something like this for a *while*.

_________________
http://www.livingsimply.org.


Top
 Profile  
 
PostPosted: Wed Jul 06, 2011 6:38 pm 
Joomla! Guru
Joomla! Guru

Joined: Mon Feb 21, 2011 4:02 pm
Posts: 951
Location: UK
Thanks for the clarifications on TRACE. It is not an issue that I am all that familiar with. I've tossed it into the list of "stuff to think about" that I have been slowly compiling over the last few months.

_________________
Online since 1995.


Top
 Profile  
 
PostPosted: Thu Jul 07, 2011 8:28 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Feb 18, 2010 7:35 pm
Posts: 6
Hi. I started using the htaccess file by Nicholas Dionysopoulos, and I'm having some trouble with a few components (specifically the K2 frontend editor, Phocagallery, and jwplayer in RokBox). Getting "The requested document was not found on this server" in a lightbox-like popup.

I'm guessing I need to write rules to allow access to those, or alter whatever rules are blocking them.
Please help! And let me know if this should be posted elsewhere.


Top
 Profile  
 
PostPosted: Thu Jul 07, 2011 10:07 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12516
Location: The Girly Side of Joomla in Sussex
kko wrote:
Hi. I started using the htaccess file by Nicholas Dionysopoulos,.

please direct your comments and questions to the author of that document.
the htaccess file bring discussed within these pages are a "fork" version of that file that no longer bear any relationshp to the original

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Wed Jul 13, 2011 10:02 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
@C0nw0nk
I have deleted your post and again locked the thread against further posts as I have asked everyone time and again not to post additional code they want to see included to this particular topic thread.

The existing code block is being actively worked upon, to make it efficient, to work as designed, and to be well commented in each section. To constantly add additional code from outside sources will only serve to pollute the existing code base that is currently being worked upon.

g1smd, mandville, and myself appreciate everyone's understanding in this matter.

If you have found errors within the existing suggested master htaccess file, then please for the moment PM me the problem description, and the code block or line(s) that you think may be causing the issues.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Fri Jul 05, 2013 5:11 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Apr 22, 2006 3:09 pm
Posts: 115
Hi

I have use this code below in my .htaccess to block most popular scanner software that script kiddie using to scan my website for security issues such as XSS or Sql Injection. Hope this help make your site more secure.

Code:
RewriteEngine On
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} ^w3af.sourceforge.net [NC,OR]
RewriteCond %{HTTP_USER_AGENT} dirbuster [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nikto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SF [OR]
RewriteCond %{HTTP_USER_AGENT} sqlmap [NC,OR]
RewriteCond %{HTTP_USER_AGENT} fimap [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nessus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} whatweb [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Openvas [NC,OR]
RewriteCond %{HTTP_USER_AGENT} jbrofuzz [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libwhisker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webshag [NC,OR]
RewriteCond %{HTTP:Acunetix-Product} ^WVS
RewriteRule ^.* http://127.0.0.1/ [R=301,L]
</IfModule>


This code can be use for none Joomla website, ex: Wordpress or Drupal.

Regards,

_________________
Updating link . Stablehost Review- Real Best Hosting Company 2014


Top
 Profile  
 
PostPosted: Fri Jul 12, 2013 4:59 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 14026
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Thanks for the advise. This though is all well documented so I advise all users to review the Joomla-Wiki related to these issues: http://docs.joomla.org/Htaccess_examples_%28security%29

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Sun Jul 14, 2013 1:52 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 655
ServerSignature Off
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]

RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

#Block mySQL injects
RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]

RewriteCond %{QUERY_STRING} \.\./\.\. [OR]

RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
# Note: The final RewriteCond must NOT use the [OR] flag.

# Return 403 Forbidden error.
RewriteRule .* index.php [F]

This is an addon of master htaccess that I added, but today I noted that I could not upload pictures in Media Manager and that I got forbidden for administrator/index.php.
However, if I make an exception for this as below and add it prior to the entries above it works normally.

## Allow upload of pictures in Media Manager
RewriteRule ^administrator/index\.php$ - [L]

Edit: It also works if you put the line above prior:
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]

http://docs.joomla.org/Htaccess_examples_%28security%29


Top
 Profile  
 
PostPosted: Sun Jul 14, 2013 4:01 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12516
Location: The Girly Side of Joomla in Sussex
What exactly is the security issue with the above code?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Jul 14, 2013 5:24 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 655
Master htacess is a security issue as it is used to boost security in Joomla, but it can cause problems, which are important to be aware of. Here I point out a problem that this code can cause and how it is solved. I post it because I earlier asked about similar issues here, but did not get an answer that was the solution to the problem. By using this exception one can get extra protection of the site.


Top
 Profile  
 
PostPosted: Sun Jul 14, 2013 5:39 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12516
Location: The Girly Side of Joomla in Sussex
for clarity i will repeat what has been posted many times, the code and link your posted is NOT the defualt htaccess code. it is part of examples of a suggested community written and adapted.
Within the link to the docs where edits should be made is a link to a dedicated topic viewtopic.php?f=432&t=549841 where all discussion should be placed to prevent confusing people who keep posting when people like you post this code that it "doesnt appear in my site" & "it breaks my site - why " and people have to keep explaining why.

Slackervaara wrote:
Master htacess is a security issue as it is used to boost security in Joomla, but it can cause problems, which are important to be aware of.
try the phrase it can boost

Quote:
Here I point out a problem that this code can cause and how it is solved. I post it because I earlier asked about similar issues here, but did not get an answer that was the solution to the problem.
possibly because you posted in the wrong topic and without full explanation as to where this code came from people were confused and left it alone

Quote:
By using this exception one can get extra protection of the site.
emphasises can
All changes to the default htaccess as provided by joomla and the code at http://docs.joomla.org/Htaccess_example ... ccess_file note the proper title "suggested master" should be discussed in the relevant topic that at the time was thought most suitable by the OP. i suggest people also read his opening quote in viewtopic.php?f=432&t=549841#p2261542

I will now move this topic and merge it with the proper topic.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Jul 14, 2013 7:31 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
Many extensions are written in such a way (nonstandard scripting and callbacks) as to require access to normally restricted ways of access and/or restricted areas (within the admin directory for example) for normal operations. Use of the suggested master htaccess file will many times then block that operation and an exception will have to be added to the suggested master htaccess file to specifically allow the extension access to the restricted area.

Quote:
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
I should add that if done incorrectly, then you can break the htaccess file and be left with less security than before.

If you pay attention, the suggested master htaccess is laid out in an organized way and exceptions or other code additions should be placed in the correct place. This greatly helps someone (even you) later trying to troubleshoot the script.

Quote:
########## Begin - Advanced server protection rules exceptions ####

# Add more rules to single PHP files here

# Add more rules for allowing full access (except PHP files) on more directories here


The authors can not know every single exception needed, nor is it a good idea to enter or list every exception one can think of into the master code. The longer the htaccess is the slower your site will be and the higher the server load will be.

While I am not an expert on htaccess and generally rely and leave htaccess answers to g1smd or the like, I think your code just allowed all access to the admin area which is insecure.

I would think that if the code block you added (which is the "Other useful settings" code block for others reading the thread) was placed in the proper place(s) then you may not have the issue or you could add a specific rule to allow the file.

Quote:
To allow Admin Tools Joomla! updater to run, you just need to add an exception for administrator/components/com_admintools/restore.php like this:

RewriteRule ^(administrator/components/com_admintools/restore\.php) $1 [L]


This example is also from the suggested master htaccess file and shows how to allow attachments (but not php files) into a specific directory
Quote:
## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^components/com_agora/img/members/ - [L]

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Mon Jul 15, 2013 5:45 am 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 655
Thanks, PhilD,

I have tested another type of exception that works for uploading pictures without making an exception fore entire index.php

RewriteRule ^administrator/index.php?option=com_media&task=file.upload&tmpl=1$ - [L]


Top
 Profile  
 
PostPosted: Wed Jul 17, 2013 8:55 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Apr 22, 2006 3:09 pm
Posts: 115
Thanks Leolam for your link, just updated my .htaccess to block bad user agents

Does this code make our website load slower ? or slower response to visitors ?

thanks

_________________
Updating link . Stablehost Review- Real Best Hosting Company 2014


Top
 Profile  
 
PostPosted: Sun Jul 21, 2013 4:53 am 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 655
Earlier I had PHP-Nuke with a much bigger .htaccess file than Joomla and I did not see any slower site. I also then hade ip-blockage of a country which gives very many entries in htaccess.


Top
 Profile  
 
PostPosted: Wed Oct 09, 2013 6:55 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Feb 13, 2011 6:19 pm
Posts: 1
The link to the Master .htaccess file (http://akeeba.assembla.com/code/master- ... access.txt) on http://docs.joomla.org/Htaccess_examples_%28security%29 appears to be a dead link. If someone has a link which works, please could you post it here.
Thanks.


Top
 Profile  
 
PostPosted: Wed Oct 09, 2013 4:03 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
We only support the file on the doc page.
The suggested master htaccess file was based on Nicholas K. Dionysopoulos master htaccess file. The file by Nicholas now resides at:
https://github.com/nikosdion/master-htaccess

There is now also a tool module within the admin tools for assisting in creating an htaccess file.
http://www.akeebabackup.com/software/admin-tools.html

To address another comment.
The htaccess file gets queried on each and every request to the webserver not once per user session.
A single page (even a static one) may actually have many individual requests and since the htaccess file has to be queried on each and every request this adds to the overhead the server must process for a site. On a lightly loaded site the delay a large htaccess file creates is unnoticed. On a heavily loaded site a large htaccess file can create a significant delay in site response as a significant portion of the servers time is spent parsing the htaccess file. So for example if there are 10 requests created on a single web page and 20 people access the page, the server needs to parse the htaccess file 10 x 20 or 200 times. If 2000 people are requesting the page, then the server has to parse the htaccess file 20000 times. The delay from a large htaccess file will become noticeable at some point, or your host may block the site for excessive resource usage, especially if on a shared server.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Fri Nov 15, 2013 2:57 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Sep 29, 2005 2:37 am
Posts: 183
Thank you very much for this .htaccess file and information on blocking user agents, in particular. For years there have ben strange attempts to log in my site. Nothing else worked better than this .htaccess. It took a little effort to customize it but it was totally the best investment in effort I made in years. I am finally able to sleep at night without worrying someone is trying to hack my server again, it's already happened several times, and this is the best layer of protection ever.

I have a couple of questions, if I may. First, did other people have any problems with favicon.ico? I tried to add various rules to let the file be fetched, but the only thing I could get working for that particular file, for some reason, was to allow the .ico extension type. Does the rule on which extensions are allowed override specific filenames no matter where they are in the file?

The other was about the method for expires. I had previously set expires by file extension, like for 'ico' and .gif' and so on, rather than mime type. Is there a difference in performance between setting expires on a file rather than a mime type? I'd like to understand better about how to make the htaccess file faster too.

_________________
Ernest Meyer

http://www.yofiel.com


Top
 Profile  
 
PostPosted: Sat Dec 07, 2013 7:22 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Sep 29, 2005 2:37 am
Posts: 183
Later I found it better to set .ico extension rather than favicon.ico, because there is also an administrator favicon.ico in another place.

_________________
Ernest Meyer

http://www.yofiel.com


Top
 Profile  
 
PostPosted: Sat Dec 07, 2013 6:11 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 655
For the tmp and images folder I have a modified master htaccess plus this:

<Files ~ "\.(php|js|sh)$">
Order allow,deny
Deny from all
</Files>

If a hacker manage to upload files with these extensions they can't execute those files there, so they are useless for them.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 353 posts ]  Go to page Previous  1 ... 8, 9, 10, 11, 12



Who is online

Users browsing this forum: No registered users and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group