Folder Security

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
Nap
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Wed Aug 02, 2006 4:53 am

Folder Security

Post by Nap » Sat Jan 31, 2015 11:09 am

[Joomla 2.5, Virtumart, Ubuntu] (Sorry, should have posted in the Joomla 2.5 forum)

The document root for my joomla site has the standard .htaccess which rewrites URLs. I notice it does not specify "Options -Indexes".

So I checked, using find -type d '!' -exec sh -c 'ls -1 "{}"|egrep -i -q "^index\.(html|php)$"' ';' -print, if every folder contained either an index.html or index.php file. I found that quite a few don't, including some components/plugins I have installed.

Should I put the "Options -Indexes" into .htaccess, or copy the default index.html into each of these folder?

What is the best option?

Cheers,
Nap
"Life is like arriving late to a movie"

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25870
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Folder Security

Post by Per Yngve Berg » Sat Jan 31, 2015 11:26 am

None of these should be necessary. What is your issue?

Nap
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Wed Aug 02, 2006 4:53 am

Re: Folder Security

Post by Nap » Sat Jan 31, 2015 12:32 pm

I don't want people browsing my files and folders.
I put "Options -Indexes" in the .htaccess file, and its all working.
"Life is like arriving late to a movie"

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25870
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Folder Security

Post by Per Yngve Berg » Sat Jan 31, 2015 3:21 pm

On a properly configured host, this should not be necessary. directory Listing should be off by Default.

Please use the Forum Post Assistant
http://forum.joomla.org/viewtopic.php?f=621&t=582860

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25870
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Folder Security

Post by Per Yngve Berg » Sat Jan 31, 2015 3:21 pm

Mod. Note: Relocated the topic to the Security J2.5 Forum.

Nap
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Wed Aug 02, 2006 4:53 am

Re: Folder Security

Post by Nap » Sun Feb 01, 2015 12:48 am

Thanks for the heads up about the FPA.
Should I be posting the information here (for all to see)?

Here are the exceptions:
  • I'm running Ubuntu's MariaDB on my server, and I'm getting MySQL Supports J! 2.5.20 NO. However, the site seems to be working fine,
  • I've got a few entries around the place that are marked [ -- Protected -- ],
  • suhosin shows as a Potential Missing Extension, and
  • A lot of entries that are black text on white background.
Anything to be concerned about?

Cheers,
Nap
"Life is like arriving late to a movie"

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25870
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Folder Security

Post by Per Yngve Berg » Sun Feb 01, 2015 9:32 am

Yes, post the Information.

MariaDB is a fork of Mysql. This is the first time I hear anyone uses it with Joomla.

Nap
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Wed Aug 02, 2006 4:53 am

Re: Folder Security

Post by Nap » Sun Feb 01, 2015 12:06 pm

Interesting. The site is working fine, though it's still being fine tuned in the Joomla Admin area.

FPA Details are in my Photo bucket
http://img.photo bucket.com/albums/v631/Napoleon_BlownApart/Joomla_Settings.png
(Remove the space between 'photo' and 'bucket' in the url since I could not use the word 'Photo bucket' without adding the place inbetween.)

Cheers,
Nap
"Life is like arriving late to a movie"

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25870
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Folder Security

Post by Per Yngve Berg » Sun Feb 01, 2015 12:13 pm

The images are unreadable. Past into the post as you are supoosed to do. The FPA output contains bb code that formats the output in the forum.

Nap
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Wed Aug 02, 2006 4:53 am

Re: Folder Security

Post by Nap » Mon Feb 02, 2015 4:03 am

Here it is. I didn't see the "Show the Forum Post Assistant" button as I was busy looking at the infomation gathered. Perhaps it should be OPEN by default.

Also, even when I selected "Strict", the output showed the username/group of the client, and it showed the complete folder paths for the site. I've also commented out part of the Kernel version as it identifies my ISP. In light of this, I think the privacy concerns need to be reviewed.

Concerning the image I posted earlier, it is 'readable' if you zoom in on it. The fonts sizes used made it difficult to read, but it is legible. In anycase, the BB-code method is much better.

Cheers,
Nap
Forum Post Assistant (v1.2.4) : 2nd February 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.20-Stable (Ember) 30-April-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Writable (640) | Owner: vhost username (uid: 1/gid: 1) | Group: vhost group (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.18.1-x86_64-.... | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: vhost domain folder ./web | System TMP Writable: Yes

PHP Configuration :: Version: 5.5.9-1ubuntu4.5 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: vhost canonical folder ./web:vhost canonical folder ./private:vhost canonical folder ./tmp:vhost domain folder ./web:/srv/www/vhost domain folder ./web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.40-MariaDB-0ubuntu0.14.04.1 (Client:5.5.41) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 19.83 MiB | #of Tables: 257
Detailed Environment :: wrote:PHP Extensions :: Core (5.5.9-1ubuntu4.5) | date (5.5.9-1ubuntu4.5) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gettext () | SPL (0.2) | iconv () | mbstring () | pcntl () | session () | posix () | Reflection ($Id: 31d836a7ac92a37b5c580836d91ad4736fe2f376 $) | standard (5.5.9-1ubuntu4.5) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.2) | exif (1.4 $Id$) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | cgi-fcgi () | PDO (1.0.4dev) | curl () | gd () | imagick (3.1.2) | intl (1.1.0) | json (1.3.2) | mcrypt () | memcache (3.0.8) | memcached (2.1.0) | ming () | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | pspell () | readline (5.5.9-1ubuntu4.5) | recode () | snmp (0.1) | sqlite3 (0.7-dev) | tidy (2.0) | XCache (3.1.0) | xmlrpc (0.51) | xsl (0.1) | mhash () | XCache Optimizer (3.1.0) | XCache Cacher (3.1.0) | XCache Coverager (3.1.0) | Zend OPcache (7.0.3FE) | Zend Engine (2.5.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (2.5.0) | com_mailto (2.5.0) |
Components :: ADMIN :: com_messages (2.5.0) | com_redirect (2.5.0) | com_config (2.5.0) | com_content (2.5.0) | com_modules (2.5.0) | com_login (2.5.0) | ECB Currency Converter (1.0) | VIRTUEMART (-) | VirtueMart_allinone (2.6.6) | com_menus (2.5.0) | com_languages (2.5.0) | com_cache (2.5.0) | com_admin (2.5.0) | com_weblinks (2.5.0) | com_cpanel (2.5.0) | com_djmediatools (2.0.5) | com_checkin (2.5.0) | com_newsfeeds (2.5.0) | com_media (2.5.0) | com_joomlaupdate (2.5.0) | com_banners (2.5.0) | com_plugins (2.5.0) | com_installer (2.5.0) | com_categories (2.5.0) | com_search (2.5.0) | com_templates (2.5.0) | com_users (2.5.0) | com_finder (2.5.0) |

Modules :: SITE :: mod_feed (2.5.0) | mod_banners (2.5.0) | mod_virtuemart_manufacturer (2.6.6) | mod_wrapper (2.5.0) | mod_footer (2.5.0) | mod_virtuemart_currencies (2.6.6) | mod_articles_categories (2.5.0) | mod_whosonline (2.5.0) | mod_virtuemart_search (2.0.18a) | mod_login (2.5.0) | mod_users_latest (2.5.0) | mod_articles_category (2.5.0) | mod_articles_popular (2.5.0) | mod_breadcrumbs (2.5.0) | mod_stats (2.5.0) | mod_languages (2.5.0) | mod_virtuemart_category (2.6.6) | mod_weblinks (2.5.0) | mod_articles_latest (2.5.0) | mod_virtuemart_product (2.6.6) | mod_related_items (2.5.0) | VirtueMart Shopping Cart (2.6.6) | mod_syndicate (2.5.0) | mod_finder (2.5.0) | mod_random_image (2.5.0) | DJ-MegaMenu (2.0.2) | mod_articles_news (2.5.0) | mod_search (2.5.0) | mod_articles_archive (2.5.0) | DJ-MediaTools Album (2.0.3) | mod_custom (2.5.0) | mod_menu (2.5.0) |
Modules :: ADMIN :: mod_version (2.5.0) | mod_feed (2.5.0) | mod_toolbar (2.5.0) | mod_quickicon (2.5.0) | mod_login (2.5.0) | VirtueMart Administrator Menu (2.6.6) | mod_multilangstatus (2.5.0) | mod_logged (2.5.0) | mod_popular (2.5.0) | mod_latest (2.5.0) | mod_title (2.5.0) | mod_submenu (2.5.0) | mod_status (2.5.0) | mod_custom (2.5.0) | mod_menu (2.5.0) |

Plugins :: SITE :: plg_editors_tinymce (3.5.4.1) | plg_editors_codemirror (1.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_content (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_contacts (2.5.0) | plg_system_sef (2.5.0) | plg_system_djmegamenu (1.2.0) | plg_system_cache (2.5.0) | plg_system_p3p (2.5.0) | plg_system_remember (2.5.0) | plg_system_log (2.5.0) | plg_system_highlight (2.5.0) | plg_system_redirect (2.5.0) | plg_system_debug (2.5.0) | plg_system_languagecode (2.5.0) | plg_system_logout (2.5.0) | plg_system_djjquerymonster (1.0.0) | plg_system_languagefilter (2.5.0) | plg_content_finder (2.5.0) | plg_content_loadmodule (2.5.0) | DJ-VMPagebreak Content Plugin (1.3) | plg_content_pagenavigation (2.5.0) | plg_content_geshi (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_djmediatools (2.0.0) | plg_content_joomla (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | Weight Countries (2.6.6) | Stockable (2.6.6) | VMCustom - specification (2.6.6) | VMCustom - textinput (2.6.6) | Moneybookers Przelewy24 (2.6.6) | Moneybookers Credit Cards (2.6.6) | VM - Payment, PayZen (1.3c) | Moneybookers Digital Wallet (2.6.6) | Moneybookers Sofortueberweisun (2.6.6) | Heidelpay (2.6.6) | VM - Payment, Systempay (1.3c) | Klarna Checkout (2.6.6) | Standard (2.6.6) | Authorize.net AIM (2.6.6) | PayPal (2.6.6) | Sofort Ideal (2.6.6) | Moneybookers (2.6.6) | VM Payment - Paybox (2.6.6) | Sofort (2.6.6) | Moneybookers Bank Transfer (2.6.6) | Klarna (2.6.6) | Moneybookers Giropay (2.6.6) | Moneybookers iDeal (2.6.6) | Moneybookers Lastschrift (2.6.6) | VM - Calculation Avalara Tax (2.6.6) | plg_user_profile (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_extension_joomla (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_search_content (2.5.0) | plg_search_weblinks (2.5.0) | plg_search_categories (2.5.0) | plg_search_virtuemart (2.6.6) | plg_search_contacts (2.5.0) | plg_djmediatools_content (1.3.1) | plg_djmediatools_k2 (1.0.1) | plg_djmediatools_djclassifieds (2.0.0) | plg_djmediatools_folder (1.1.1) | plg_djmediatools_djcatalog2 (1.2.5) | plg_djmediatools_virtuemart (1.0.0) | plg_captcha_recaptcha (2.5.0) | plg_editors-xtd_article (2.5.0) | DJ-VMPagebreak Editor Plugin (1.1) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors-xtd_djmediatools (2.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | beez5 (2.5.0) | atomic (2.5.0) | jm-modern-store (2.01) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) |
"Life is like arriving late to a movie"

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25870
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Folder Security

Post by Per Yngve Berg » Mon Feb 02, 2015 5:47 am

Ask your host to set "Options -Indexes" in httpd.conf

Nap
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Wed Aug 02, 2006 4:53 am

Re: Folder Security

Post by Nap » Mon Feb 02, 2015 7:06 am

Thnx Per. Already done that.
"Life is like arriving late to a movie"


Locked

Return to “Security in Joomla! 2.5”