JD11NL - Joomla! Security 101
-
Upload
akeebabackupcom -
Category
Technology
-
view
1.741 -
download
0
description
Transcript of JD11NL - Joomla! Security 101
Joomla! Security 101What to do before disaster strikes
http://akeeba.info/security-101Πέμπτη, 31 Μαρτίου 2011
Hi, I’m Nicholas Dionysopoulosand I bet you can’t pronounce my last name
http://akeeba.info/meΠέμπτη, 31 Μαρτίου 2011
The basicsWhat we’re supposed to do and rarely do it
Πέμπτη, 31 Μαρτίου 2011
Frequent, tested backupsWould you jump off a plane without a parachute?
http://akeeba.info/backupΠέμπτη, 31 Μαρτίου 2011
Update, yesterdayYesterday’s code is tomorrow’s hack
http://akeeba.info/basic-securityΠέμπτη, 31 Μαρτίου 2011
Protect your backendThe login is not enough
Πέμπτη, 31 Μαρτίου 2011
777: The number of the beastPermissions are doors; don’t leave them open
http://akeeba.info/777Πέμπτη, 31 Μαρτίου 2011
Sensible permissions
Ask your host to enable suPHP or Apache’s mod_itk
Site root 0755 or 0700
Directories 0755
Files 0644
If you “must” use 0777 (don’t!) protect with .htaccess:
order deny, allowdeny from all
Πέμπτη, 31 Μαρτίου 2011
Don’t be a sitting duckIt’s duck season!
Πέμπτη, 31 Μαρτίου 2011
Mind your prefixNobody wants to be a jos_
http://akeeba.info/prefixΠέμπτη, 31 Μαρτίου 2011
62 reasons to fire your Super Administratoror 42, depending on Joomla! version...
http://akeeba.info/62-reasonsΠέμπτη, 31 Μαρτίου 2011
Security Kung-FuYou can’t kill a Ninja
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Visual fingerprintingSeeing is believing and then some
tp=1
tmpl=offline
template=ja_puri
tyhttp://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Visual fingerprinting
RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]
RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]RewriteCond %{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]
RewriteRule ^(.*)$ - [R=404,L]
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
PHP has a big mouthand that’s not water cooler gossip!
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
PHP has a big mouth
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
PHP has a big mouth
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000RewriteRule ^(.*)$ - [R=404,L]
PHP has a big mouth
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Blind ElephantMeet your supervillain
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Blind Elephant
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Blind Elephantnicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomlaLoaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web
Hit http://joomla.ubuntu.web/media/system/js/validate.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/caption.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/openid.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.cssPossible versions based on result: 1.5.17, 1.5.18
Fingerprinting resulted in:1.5.171.5.18
Best Guess: 1.5.18
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]RewriteCond %{REQUEST_FILENAME} -fRewriteCond %{HTTP_REFERER} !^http[s]{0,1}://(.+\.)?www\.example\.com [NC]RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]
Blind Elephant
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
More protection for you
The Master.htaccess
http://akeeba.info/master-htaccess
Admin ToolsProfessional
http://akeeba.info/atpro
free!
15 €
use coupon code
JDNL11Πέμπτη, 31 Μαρτίου 2011
That’s me...and this is the perfect time to ask me questions!
Πέμπτη, 31 Μαρτίου 2011
That’s all folks!Want the slides? http://akeeba.info/security-101
Πέμπτη, 31 Μαρτίου 2011