Joomla! security 101

  • 1,188 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,188
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
16
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Joomla! security 101
    What to do before disaster strikes
  • 2. That’s me
    I am Nicholas K. Dionysopoulos, the lead developer of Akeeba Backup and contributing author at the Joomla! Community Magazine.
  • 3. The basics
    …or what you are supposed to do and rarely remember to do it
  • 4. Backup, backup and backup
  • 5. Update, yesterday
  • 6. Multifactor back-end authentication
    Password protection
    Secret URL parameter
    Use your host’s Control Panel, or .htaccess
    Best protection
    Doesn’t cost
    More difficult to setup
    Use jSecure Authentication
    Very easy to setup
    Costs money
    Doesn’t protect against direct access to files
  • 7. Permissions must make sense
    Should I 0777 anything?
    • Generally an extremely bad idea!
    • 8. Better enable Joomla!’s FTP layer.
    • 9. Only required by badly written extensions.
    • 10. tmp, logs, cache and administrator/cache directories.
    • 11. If you do that, make sure you install this .htaccess in each and every of them:
    order deny, allowdeny from all
  • 12. The advanced stuff
    …which every site builder should do on every site he builds
  • 13. We are all sitting ducks
    Known prefix,jos_ and known ID62 make me say
    what the quack…?!
  • 14. The prefix matters
  • 15. 62 reasons to fire your Super Admin
  • 16. Only a ninja can kill another ninja
    Crash course to .htaccessKung-Fu
  • 17. Visual fingerprinting
    RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]
    RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]
    RewriteCond%{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]
    RewriteRule^(.*)$ - [R=404,L]
  • 18. PHP has a big mouth
    RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]
    RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]
    RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]
    RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 [OR]
    RewriteRule ^(.*)$ - [R=404,L]
  • 19. Blind the elephant before it stomps you
    nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla
    Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.
    Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web
    Hit http://joomla.ubuntu.web/media/system/js/validate.js
    Possible versions based on result: 1.5.17, 1.5.18
    Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js
    Possible versions based on result: 1.5.17, 1.5.18
    Hit http://joomla.ubuntu.web/media/system/js/caption.js
    Possible versions based on result: 1.5.17, 1.5.18
    Hit http://joomla.ubuntu.web/media/system/js/openid.js
    Possible versions based on result: 1.5.17, 1.5.18
    Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css
    Possible versions based on result: 1.5.17, 1.5.18
    Fingerprinting resulted in:
    1.5.17
    1.5.18
    Best Guess: 1.5.18
    NEWSFLASH:
    Hackers easily find out which Joomla! version you are using on your site
    RewriteRule ^(images/stories/*.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{HTTP_REFERER} !^http[s]{0,1}://(.+.)?www.example.com [NC]
    RewriteRule .(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]
    More .htaccess rules for further protection in my Master .htaccess:http://snipt.net/nikosdion/the-master-htaccess
  • 20. Ask the geek
  • 21. That’s all, folks!