Suggested Master .htaccess file

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
jawsmith
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Jul 05, 2011 9:22 am

Re: Suggested Master .htaccess file

Post by jawsmith » Tue Jul 05, 2011 9:47 am

Thanks everybody for the suggested file.

One more idea from a newbe: There is a lot of suggestions on the web to disable HTTP TRACE and TRACK methods (e.g. http://publib.boulder.ibm.com/httpserv/ ... trace.html or just google for "http trace track"), to prevent cross-side tracing attacks. Would that be something to also be added to the file?

Maybe together with HEAD and DELETE methods, as in "Other useful settings" on http://docs.joomla.org/Htaccess_examples_%28security%29 ?

Cheers!

g1smd
Joomla! Guru
Joomla! Guru
Posts: 951
Joined: Mon Feb 21, 2011 4:02 pm
Location: UK

Re: Suggested Master .htaccess file

Post by g1smd » Tue Jul 05, 2011 11:21 pm

Yes, certainly worth considering. Thanks! The suggestions I fed back to the original author several months ago haven't been acknowledged or actioned. At some point, when I have a bit more time, I might fork the entire project and make a whole load more changes that I have noted over the last few months.
Online since 1995.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Suggested Master .htaccess file

Post by PhilD » Tue Jul 05, 2011 11:35 pm

Trace is not a vulnerability in the TRACE command, or in the Apache web server. Rather it is a browser issue that can occur with certain browsers that can be scripted. The TRACE request has been blown out of proportion by the press who do not understand what they are reporting on.
This was first reported in 2003 I believe, and would probably be better served if turned off on the server and it may have been fixed within the browser in question.

I don't think most people need to be concerned greatly about the issue (personal opinion only), though it is possible a hacked site could be serving the carefully crafted pages to gain online banking credentials I suppose. I'm not saying it should be or should not be added. It probably should, though if an attacker has access to your site to insert the pages etc., they can remove it from htaccess.

For those who don't understand much about this issue, read on. The info below came from the sites I referenced below which do a better job of explaining the issue than the site posted in the above post.

When an HTTP TRACE request is sent to a web server the server will respond by echoing the data that is passed to it, including any HTTP headers. As the paper explains, some browsers can be scripted to perform a TRACE request. A browser with this functionality can be made to issue a TRACE request against an arbitrary site and pass the results on to a different place. Browsers will only send authentication details and cookies to the sites that issue them. This means a user having a browser with scripting functionality could be tricked into sending cookies or authentication details for arbitrary sites to an attacker.

For example, if you visited a site that has a page that an attacker has carefully crafted, the page could cause your browser to bounce a TRACE request against some other site for which you have authentication cookies for. The result of the TRACE will be a copy of what was sent to the site bounced against. This will include cookies and/or other authentication data from that site bounced against. The carefully crafted page from the site that was attacked can then pass that information on to the attacker.

The same browser functionality that permits the published TRACE attack can be used for different attacks even if TRACE is disabled on the remote web server. For example an attacker could again create a carefully crafted page that when visited submits a hidden request to some arbitrary site through your browser, grabs the result and passes it to the attacker.

Reference:
In the news, Cross-Site Tracing issues
http://www.apacheweek.com/issues/03-01-24#news

WhitePaper, TRACE Request Method
http://www.cgisecurity.com/whitehat-mir ... _ebook.pdf
PhilD

sonailpgi
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Jul 06, 2011 3:05 am
Contact:

Re: Suggested Master .htaccess file

Post by sonailpgi » Wed Jul 06, 2011 10:47 am

leolam,

I realize this post in months old. However, I just joined this forum and found it. Thanks for the info, and the link to the htaccess file. Been looking for something like this for a *while*.

g1smd
Joomla! Guru
Joomla! Guru
Posts: 951
Joined: Mon Feb 21, 2011 4:02 pm
Location: UK

Re: Suggested Master .htaccess file

Post by g1smd » Wed Jul 06, 2011 6:38 pm

Thanks for the clarifications on TRACE. It is not an issue that I am all that familiar with. I've tossed it into the list of "stuff to think about" that I have been slowly compiling over the last few months.
Online since 1995.

kko
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Thu Feb 18, 2010 7:35 pm

Re: Suggested Master .htaccess file

Post by kko » Thu Jul 07, 2011 8:28 pm

Hi. I started using the htaccess file by Nicholas Dionysopoulos, and I'm having some trouble with a few components (specifically the K2 frontend editor, Phocagallery, and jwplayer in RokBox). Getting "The requested document was not found on this server" in a lightbox-like popup.

I'm guessing I need to write rules to allow access to those, or alter whatever rules are blocking them.
Please help! And let me know if this should be posted elsewhere.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Suggested Master .htaccess file

Post by mandville » Thu Jul 07, 2011 10:07 pm

kko wrote:Hi. I started using the htaccess file by Nicholas Dionysopoulos,.
please direct your comments and questions to the author of that document.
the htaccess file bring discussed within these pages are a "fork" version of that file that no longer bear any relationshp to the original
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Suggested Master .htaccess file

Post by PhilD » Wed Jul 13, 2011 10:02 pm

@C0nw0nk
I have deleted your post and again locked the thread against further posts as I have asked everyone time and again not to post additional code they want to see included to this particular topic thread.

The existing code block is being actively worked upon, to make it efficient, to work as designed, and to be well commented in each section. To constantly add additional code from outside sources will only serve to pollute the existing code base that is currently being worked upon.

g1smd, mandville, and myself appreciate everyone's understanding in this matter.

If you have found errors within the existing suggested master htaccess file, then please for the moment PM me the problem description, and the code block or line(s) that you think may be causing the issues.
PhilD

niitpro
I've been banned!
Posts: 118
Joined: Sat Apr 22, 2006 3:09 pm
Contact:

Stop the script kiddie scan your Joomla

Post by niitpro » Fri Jul 05, 2013 5:11 am

Hi

I have use this code below in my .htaccess to block most popular scanner software that script kiddie using to scan my website for security issues such as XSS or Sql Injection. Hope this help make your site more secure.

Code: Select all

RewriteEngine On 
<IfModule mod_rewrite.c> 
RewriteCond %{HTTP_USER_AGENT} ^w3af.sourceforge.net [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} dirbuster [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} nikto [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} SF [OR] 
RewriteCond %{HTTP_USER_AGENT} sqlmap [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} fimap [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} nessus [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} whatweb [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} Openvas [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} jbrofuzz [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} libwhisker [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} webshag [NC,OR] 
RewriteCond %{HTTP:Acunetix-Product} ^WVS 
RewriteRule ^.* http://127.0.0.1/ [R=301,L] 
</IfModule>
This code can be use for none Joomla website, ex: Wordpress or Drupal.

Regards,

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Stop the script kiddie scan your Joomla

Post by leolam » Fri Jul 12, 2013 4:59 pm

Thanks for the advise. This though is all well documented so I advise all users to review the Joomla-Wiki related to these issues: http://docs.joomla.org/Htaccess_examples_%28security%29

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Problem with master htaccess

Post by Slackervaara » Sun Jul 14, 2013 1:52 pm

ServerSignature Off
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]

RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

#Block mySQL injects
RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]

RewriteCond %{QUERY_STRING} \.\./\.\. [OR]

RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
# Note: The final RewriteCond must NOT use the [OR] flag.

# Return 403 Forbidden error.
RewriteRule .* index.php [F]

This is an addon of master htaccess that I added, but today I noted that I could not upload pictures in Media Manager and that I got forbidden for administrator/index.php.
However, if I make an exception for this as below and add it prior to the entries above it works normally.

## Allow upload of pictures in Media Manager
RewriteRule ^administrator/index\.php$ - [L]

Edit: It also works if you put the line above prior:
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]

http://docs.joomla.org/Htaccess_examples_%28security%29

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Problem with master htaccess

Post by mandville » Sun Jul 14, 2013 4:01 pm

What exactly is the security issue with the above code?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Problem with master htaccess

Post by Slackervaara » Sun Jul 14, 2013 5:24 pm

Master htacess is a security issue as it is used to boost security in Joomla, but it can cause problems, which are important to be aware of. Here I point out a problem that this code can cause and how it is solved. I post it because I earlier asked about similar issues here, but did not get an answer that was the solution to the problem. By using this exception one can get extra protection of the site.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Problem with master htaccess

Post by mandville » Sun Jul 14, 2013 5:39 pm

for clarity i will repeat what has been posted many times, the code and link your posted is NOT the defualt htaccess code. it is part of examples of a suggested community written and adapted.
Within the link to the docs where edits should be made is a link to a dedicated topic http://forum.joomla.org/viewtopic.php?f=432&t=549841 where all discussion should be placed to prevent confusing people who keep posting when people like you post this code that it "doesnt appear in my site" & "it breaks my site - why " and people have to keep explaining why.
Slackervaara wrote:Master htacess is a security issue as it is used to boost security in Joomla, but it can cause problems, which are important to be aware of.
try the phrase it can boost
Here I point out a problem that this code can cause and how it is solved. I post it because I earlier asked about similar issues here, but did not get an answer that was the solution to the problem.
possibly because you posted in the wrong topic and without full explanation as to where this code came from people were confused and left it alone
By using this exception one can get extra protection of the site.
emphasises can
All changes to the default htaccess as provided by joomla and the code at http://docs.joomla.org/Htaccess_example ... ccess_file note the proper title "suggested master" should be discussed in the relevant topic that at the time was thought most suitable by the OP. i suggest people also read his opening quote in http://forum.joomla.org/viewtopic.php?f ... 1#p2261542

I will now move this topic and merge it with the proper topic.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Suggested Master .htaccess file

Post by PhilD » Sun Jul 14, 2013 7:31 pm

Many extensions are written in such a way (nonstandard scripting and callbacks) as to require access to normally restricted ways of access and/or restricted areas (within the admin directory for example) for normal operations. Use of the suggested master htaccess file will many times then block that operation and an exception will have to be added to the suggested master htaccess file to specifically allow the extension access to the restricted area.
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
I should add that if done incorrectly, then you can break the htaccess file and be left with less security than before.

If you pay attention, the suggested master htaccess is laid out in an organized way and exceptions or other code additions should be placed in the correct place. This greatly helps someone (even you) later trying to troubleshoot the script.
########## Begin - Advanced server protection rules exceptions ####

# Add more rules to single PHP files here

# Add more rules for allowing full access (except PHP files) on more directories here
The authors can not know every single exception needed, nor is it a good idea to enter or list every exception one can think of into the master code. The longer the htaccess is the slower your site will be and the higher the server load will be.

While I am not an expert on htaccess and generally rely and leave htaccess answers to g1smd or the like, I think your code just allowed all access to the admin area which is insecure.

I would think that if the code block you added (which is the "Other useful settings" code block for others reading the thread) was placed in the proper place(s) then you may not have the issue or you could add a specific rule to allow the file.
To allow Admin Tools Joomla! updater to run, you just need to add an exception for administrator/components/com_admintools/restore.php like this:

RewriteRule ^(administrator/components/com_admintools/restore\.php) $1 [L]
This example is also from the suggested master htaccess file and shows how to allow attachments (but not php files) into a specific directory
## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^components/com_agora/img/members/ - [L]
PhilD

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Suggested Master .htaccess file

Post by Slackervaara » Mon Jul 15, 2013 5:45 am

Thanks, PhilD,

I have tested another type of exception that works for uploading pictures without making an exception fore entire index.php

RewriteRule ^administrator/index.php?option=com_media&task=file.upload&tmpl=1$ - [L]

niitpro
I've been banned!
Posts: 118
Joined: Sat Apr 22, 2006 3:09 pm
Contact:

Re: Stop the script kiddie scan your Joomla

Post by niitpro » Wed Jul 17, 2013 8:55 am

Thanks Leolam for your link, just updated my .htaccess to block bad user agents

Does this code make our website load slower ? or slower response to visitors ?

thanks

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Suggested Master .htaccess file

Post by Slackervaara » Sun Jul 21, 2013 4:53 am

Earlier I had PHP-Nuke with a much bigger .htaccess file than Joomla and I did not see any slower site. I also then hade ip-blockage of a country which gives very many entries in htaccess.

jrensor
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sun Feb 13, 2011 6:19 pm

Re: Suggested Master .htaccess file

Post by jrensor » Wed Oct 09, 2013 6:55 am

The link to the Master .htaccess file (http://akeeba.assembla.com/code/master- ... access.txt) on http://docs.joomla.org/Htaccess_examples_%28security%29 appears to be a dead link. If someone has a link which works, please could you post it here.
Thanks.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Suggested Master .htaccess file

Post by PhilD » Wed Oct 09, 2013 4:03 pm

We only support the file on the doc page.
The suggested master htaccess file was based on Nicholas K. Dionysopoulos master htaccess file. The file by Nicholas now resides at:
https://github.com/nikosdion/master-htaccess

There is now also a tool module within the admin tools for assisting in creating an htaccess file.
http://www.akeebabackup.com/software/admin-tools.html

To address another comment.
The htaccess file gets queried on each and every request to the webserver not once per user session.
A single page (even a static one) may actually have many individual requests and since the htaccess file has to be queried on each and every request this adds to the overhead the server must process for a site. On a lightly loaded site the delay a large htaccess file creates is unnoticed. On a heavily loaded site a large htaccess file can create a significant delay in site response as a significant portion of the servers time is spent parsing the htaccess file. So for example if there are 10 requests created on a single web page and 20 people access the page, the server needs to parse the htaccess file 10 x 20 or 200 times. If 2000 people are requesting the page, then the server has to parse the htaccess file 20000 times. The delay from a large htaccess file will become noticeable at some point, or your host may block the site for excessive resource usage, especially if on a shared server.
PhilD

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Suggested Master .htaccess file

Post by emeyer » Fri Nov 15, 2013 2:57 am

Thank you very much for this .htaccess file and information on blocking user agents, in particular. For years there have ben strange attempts to log in my site. Nothing else worked better than this .htaccess. It took a little effort to customize it but it was totally the best investment in effort I made in years. I am finally able to sleep at night without worrying someone is trying to hack my server again, it's already happened several times, and this is the best layer of protection ever.

I have a couple of questions, if I may. First, did other people have any problems with favicon.ico? I tried to add various rules to let the file be fetched, but the only thing I could get working for that particular file, for some reason, was to allow the .ico extension type. Does the rule on which extensions are allowed override specific filenames no matter where they are in the file?

The other was about the method for expires. I had previously set expires by file extension, like for 'ico' and .gif' and so on, rather than mime type. Is there a difference in performance between setting expires on a file rather than a mime type? I'd like to understand better about how to make the htaccess file faster too.

emeyer
Joomla! Explorer
Joomla! Explorer
Posts: 352
Joined: Thu Sep 29, 2005 2:37 am

Re: Suggested Master .htaccess file

Post by emeyer » Sat Dec 07, 2013 7:22 am

Later I found it better to set .ico extension rather than favicon.ico, because there is also an administrator favicon.ico in another place.

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Suggested Master .htaccess file

Post by Slackervaara » Sat Dec 07, 2013 6:11 pm

For the tmp and images folder I have a modified master htaccess plus this:

<Files ~ "\.(php|js|sh)$">
Order allow,deny
Deny from all
</Files>

If a hacker manage to upload files with these extensions they can't execute those files there, so they are useless for them.


Locked

Return to “Security in Joomla! 1.5”