Your SlideShare is downloading. ×
0
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Joomla! security 101
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Joomla! security 101

1,297

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,297
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Joomla! security 101<br />What to do before disaster strikes<br />
  • 2. That’s me<br />I am Nicholas K. Dionysopoulos, the lead developer of Akeeba Backup and contributing author at the Joomla! Community Magazine.<br />
  • 3. The basics<br />…or what you are supposed to do and rarely remember to do it<br />
  • 4. Backup, backup and backup<br />
  • 5. Update, yesterday<br />
  • 6. Multifactor back-end authentication<br />Password protection<br />Secret URL parameter<br />Use your host’s Control Panel, or .htaccess<br />Best protection<br />Doesn’t cost<br />More difficult to setup<br />Use jSecure Authentication<br />Very easy to setup<br />Costs money<br />Doesn’t protect against direct access to files<br />
  • 7. Permissions must make sense<br />Should I 0777 anything?<br /><ul><li>Generally an extremely bad idea!
  • 8. Better enable Joomla!’s FTP layer.
  • 9. Only required by badly written extensions.
  • 10. tmp, logs, cache and administrator/cache directories.
  • 11. If you do that, make sure you install this .htaccess in each and every of them:</li></ul>order deny, allowdeny from all<br />
  • 12. The advanced stuff<br />…which every site builder should do on every site he builds<br />
  • 13. We are all sitting ducks<br />Known prefix,jos_ and known ID62 make me say<br />what the quack…?!<br />
  • 14. The prefix matters<br />
  • 15. 62 reasons to fire your Super Admin<br />
  • 16. Only a ninja can kill another ninja<br />Crash course to .htaccessKung-Fu<br />
  • 17. Visual fingerprinting<br />RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]<br />RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]<br />RewriteCond%{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]<br />RewriteRule^(.*)$ - [R=404,L]<br />
  • 18. PHP has a big mouth<br />RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]<br />RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]<br />RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]<br />RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 [OR]<br />RewriteRule ^(.*)$ - [R=404,L]<br />
  • 19. Blind the elephant before it stomps you<br />nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla<br />Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.<br />Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web<br />Hit http://joomla.ubuntu.web/media/system/js/validate.js<br />Possible versions based on result: 1.5.17, 1.5.18<br />Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js<br />Possible versions based on result: 1.5.17, 1.5.18<br />Hit http://joomla.ubuntu.web/media/system/js/caption.js<br />Possible versions based on result: 1.5.17, 1.5.18<br />Hit http://joomla.ubuntu.web/media/system/js/openid.js<br />Possible versions based on result: 1.5.17, 1.5.18<br />Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css<br />Possible versions based on result: 1.5.17, 1.5.18<br />Fingerprinting resulted in:<br />1.5.17<br />1.5.18<br />Best Guess: 1.5.18<br />NEWSFLASH:<br />Hackers easily find out which Joomla! version you are using on your site<br />RewriteRule ^(images/stories/*.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]<br />RewriteCond %{REQUEST_FILENAME} -f<br />RewriteCond %{HTTP_REFERER} !^http[s]{0,1}://(.+.)?www.example.com [NC]<br />RewriteRule .(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]<br />More .htaccess rules for further protection in my Master .htaccess:http://snipt.net/nikosdion/the-master-htaccess<br />
  • 20. Ask the geek<br />
  • 21. That’s all, folks!<br />

×