You are here: Home

Presentations

Security talk: Fortifying your Joomla! website on J and Beyond 2010

Latest News

Security talk: Fortifying your Joomla! website on J and Beyond 2010

Written by Radek Suski

Wednesday, 02 June 2010

Fortifying your Joomla! website - Security talk, held on the International Joomla! Conference "J and Beyond" on May 31, 2010 in Wiesbaden, Germany

Security talk: Fortifying your Joomla! website

Joomla! .htaccess file example

 
##
# @version $Id: htaccess.txt 14401 2010-01-26 14:10:00Z louis $
# @package Joomla
# @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
#####################################################
# Modified by Radek Suski (@RS) Sigsiu.NET GmbH
# Email: sobi[at]sigsiu.net
# Url: http://www.Sigsiu.NET
# Version 1.0
#####################################################
 
 
#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################
 
##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
 
#
#  mod_rewrite in use
 
#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)
 
RewriteEngine On
 
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## End of deny access to extension xml files
 
#### @RS if the request contains /proc/self/environ
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
#### @RS
 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
 
#### @RS
# File injection 
# May cause problems !!!! 
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http:\/\/(.*)
RewriteRule ^(.*)$ index.php [F,L]
#### @RS
 
#### @RS
# Deny access to php, xml and ini files 
# within components and plugins directories
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php|\.ini|\.xml [NC]
RewriteCond %{REQUEST_URI} \/components\/ [OR]
RewriteCond %{REQUEST_URI} ^\/includes\/|^\/administrator\/includes\/ [OR]
RewriteCond %{REQUEST_URI} \/language\/ [OR]
RewriteCond %{REQUEST_URI} \/libraries\/ [OR]
RewriteCond %{REQUEST_URI} \/modules\/ [OR]
RewriteCond %{REQUEST_URI} \/plugins\/ [OR]
RewriteCond %{REQUEST_URI} \/templates\/ [OR]
RewriteCond %{REQUEST_URI} \/xmlrpc\/
RewriteRule ^(.*)$ index.php [R=404,L]
#### @RS
 
#### @RS
# Prevent most common SQL-Injections
RewriteCond %{query_string} concat.*\( [NC,OR]
RewriteCond %{query_string} union.*select.*\( [NC,OR]
RewriteCond %{query_string} union.*all.*select [NC]
RewriteRule ^(.*)$ index.php [F,L]
#### @RS
 
########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section
 
#### @RS
# Block most common hacking tools
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
deny from env=stayout
#### @RS

Next >

User Feedback

SIMPLY AMAZING!!!!! - Thursday, 16 October 2008

This is by far the absolute best Joomla Component I have ever come across. Super flexible, easy to customize and the support is just as great as the product itself...if not better!
I highly recommend you get your hands on this baby and start playing with it. Very nice indeed!

A high quality component and excellent support! - Monday, 13 October 2008

The support is great, and the Sobi2 component is continuously developed, getting better every day. The forum is excellent. If you run into any kind of problem, just post it on the forum and the problem is often solved immediately, either by the developers or the forum members! The forum help is really outstanding, and far beyond that offered by most other Joomla forums!

Key Component - Monday, 13 October 2008

How can I say enough about SOBI2 You can do so much with it its amazing. Had a little hiccup on an upgrade and posted a topic on the forum answered and fixed in no time. My hats off to these guys they are the best. :-)

Simply the best directory solution for Joomla - Sunday, 12 October 2008

Support from the developer via the SOBI community forum is excellent and the SOBI component is continuously developed meaning that it just keeps on getting better!

Powerful, Flexible, and Customizable Component - Friday, 10 October 2008

SOBI2 is a potential solution for a wide range of applications.
Because the SOBI2 component is so flexible/customizable, and has a wide range plugins/modules/extensions, it is somewhat difficult to adequately describe the scope of SOBI2's capabilities and potential applications. The Developers describe it as a "directory component ... to show entries of companies, clubs, persons, shops, products". This description perhaps understates the component's capabilities and potential applications.

Best Directory and probably best component ever - Friday, 10 October 2008

This component is simply the best component around regarding ease of use, flexibility and potentials, support (even if it's free) and community help.
This component is an absolute must for everyone who needs a directory or listing site.

Excellent support - Wednesday, 08 October 2008

An essential extension for any Joomla website. But I have to mention how excellent the support is on the SOBI2 forums. Questions are answered very quickly and there are always examples available. Top product!!

Amazing product & 1st class support in the forums - Wednesday, 08 October 2008

This is the best experience I've had with OS software and my wife (who isn't into computers) can't believe there are people like this out there. Can't recommend this extension highly enough.

Truely a great product - Tuesday, 07 October 2008

I have been doing some research on directory software for sometime and I have to say this is the best product I have come across. SOBI2 is has loads of features, highly customisable and adaptable to any type of listing and directory needs. Without any prior experience in Joomla and PHP I was able to install and use easily. There is a great support forum as well.

Sobi-Most Flexible and Adaptable Directory Extension - Tuesday, 07 October 2008

I have used this now twice on production sites and it is not only an excellent directory extension,but ideal for any listing environment.
The support is outstanding both from the forum users and developers.Development is ongoing and there are a number of excellent add ons.
Fully customizable -try it first!!!!

Professional strength directory component - Sunday, 21 September 2008

SOBI2 has plenty of features - I just keep finding new ones every week! The clean code, flexibility and power in SOBI2 are the perfect ingredients for a real web portal. Thanks to all the developers at Sigsiu.NET - well done! For anybody looking for a superb industrial strength Joomla directory extension - you've just found it.

Very flexible and powerful - Sunday, 14 September 2008

This software ranks with the best there is for free (and commercial), easy-to-use directory component for Joomla. I would have paid lots of money just to own this, but its FREE! Also, the Admin console is beautiful in its look. I have no problem running it for a long time now. This is a really good software. The code is very nice and clean. It's very easy to customize, and has got some really great plugins! Try it!

Master of all directories - Thursday, 11 September 2008

SOBI2 is the best COM for directories which I tested, and I tested ALL mayor directories.

Very powerfull! - Tuesday, 19 August 2008

Let me just say, I have big plans for this component. We have several projects on the horizon SOBI2 will be perfect for. Everything from a small directory of equipment to a free flowing video gallery for a non-profit organization. Very solid install, setup and configuration. Very, very good component and set of plugins.

Well built component with excellent support - Monday, 28 July 2008

SOBI2 is a truly excellent joomla component. I'm no good at all at coding from the beginning, so when i was asked to create a business directory for the company i work for i was a little worried about delivering. Along comes Joomla and SOBI2 and all the hard work is gone.

Just the best - Saturday, 19 July 2008

Thanks for a wonderful ware, easy to instal and configure and think its going to get better with new versions!

Couldn't ask for anything better - Wednesday, 09 July 2008

Simple to use, massively flexible, very performant. The new version is so customizable, includes extras and a busy forum so that getting advice, hacks, and tips is a breeze, even for us technically-challenged folk.
SOBI2 offered everything that our site was looking for directory component.

Great for my inventory project - Tuesday, 08 July 2008

I work for a non-profit arts organization and this was perfect tool for an inventory project that catalogged buildings in the county. We added in a lightbox for photos and the geo mapping tool to create Google maps in each record.

Best Joomla component ever - Wednesday, 18 June 2008

Sobi2 is an excellent component with suburb support, often within 1 hour :)
Also the free plugins works out of the box.
There are also not free plugins/addons, you have to pay a small fee but it is really worth the money.
The community is very active and if you have a problem/question it is ussually solved on the fly.

what do you want more? - Saturday, 14 June 2008

absolutely great component that can be costumized to fit your needs.
i'm using this component instead of the standard weblink component from joomla.
congratulations for the developers!
use their forum if you need some tips & tricks for customization!

One million dollars tool - Monday, 26 May 2008

Simply the best. Great product, great support!

Very flexible and powerful directory component - Wednesday, 21 May 2008

its the coolest the most costomizable and profitinal component.
Very modular piece of work. Simply incredible how easy it was to set up and get running.
Thank you!

Simply The Best!!! - Tuesday, 20 May 2008

If you need a sofisticated, but at the same time easy to set up and control open directory system, this component would be probably your best solution! There are addtional modules supported for the system, so it's customizable, there are labguage packs... is there anything else you can dream of? :) My advice is : just use it for your needs and say thanks a lot to its developers! Thank you!

Works just great... easy in use... :) Super - Tuesday, 20 May 2008

This component is amazing and very easy to setup and run out of the box! You can also heavily tweak it if you know even a little bit about PHP. It's fast, reliable and very good secured. I saw the code and I think that it will never possible to hack any site thru this component. If it was sold at $100, I would buy it with no hesitation!

Perfect application - Tuesday, 13 May 2008

This is a perfect application. It is clean programmed and has a nice layout. The code is very nice and clean. It's very easy to customize, and has got some really great modules! Try it, This package beats them all!

Wonderful Joomla directory extension - Monday, 05 May 2008

I spent some time researching the different components out there, and none looked as apealing, easy to install and use, yet be powerful and scalable, as SOBI2.
SOBI2 seemed to have all the features I was interested in, and many others. Good program and excellent support.

Easy To Install And Use SOBI2 - Wednesday, 30 April 2008

SOBI2 is the best directory manager for Joomla! that i have seen. With all the features and tools at first one would think this would be to complicated to use and manage, but that not the case. SOBI2 works and is very easy to use.

What more would you ask for a directory - Tuesday, 22 April 2008

SOBI2 is I can say the most adaptive, the fastest, the most usable and tweakable directory there is on the net Speed, adaptability, powerful, easy to understand and simple. Everything a webmaster would ever want to offer their clients, and everything a client would want on their site.
And to be honest, because of this directory extension I've started to use Joomla ... ;-)

Amazing - Monday, 14 April 2008

I've spent about 10 hours in the last few days trying to figure out the best solution for Directory/Review listings. This soars so high above every other option out there that they can't touch this component.
This is by far the best addition to Joomla I have seen.

Excellent component - Friday, 11 April 2008

I discovered SOBI2 only one week ago, but I can say that I am very pleased to work with it. You can modify it to develop your own custom theme, or if you are a beginner it has everything integrated to be able to use it in your way. Nice work and by deepest respect for the developers that made this (and made it free). Keep on going with this and I hope to see future developements.