First off thanks for the tip and patch Phil, much appreciated.
Quote:
|
Good to know man! I was unable to get your HTaccess? What did you do diff to yours? Would you mind posting the code so I can see it?
|
It's just a bunch of extra htaccess rules to help protect things like the configuration file, cgi scripts etc... you can add as many file types as you want. Also it sends meail harvesters to a dummy page - just change /spamcop/ near the end of the main script to /yoursite.com/ it will all make sense with the read me files.
http://mamboforge.net/projects/mamlock/
My patch is nothing to do with Phil's they work on very diferent areas, but it might be worth setting an htaccess script in the includes file to block direct access to them. As i gather the hack on Phils was through the mambo includes file, pertaining to account generation.
Whilst htaccess wont prevent an sql injection, it can stop someone getting to your admin login screen, and hopefully stop them getting access to sensitive files in the first place.
Download from the forge, if you still can’t get it let me know and I’ll post it all. In the mean time here’s the most crucial bits:
In the root htaccess:
Code:
#
# htaccess file for SEF
# @package Mambo Open Source
# @Copyright (C) 2000 - 2003 Miro International Pty Ltd
# @ All rights reserved
# @ Mambo Open Source is Free Software
# @ Released under GNU/GPL License : http://www.gnu.org/copyleft/gpl.html
# @version $Revision: 1.10 $
#
# mod_rewrite in use
#
ReWriteEngine On
# Uncomment following line if your webserver's URL
# is not directly related to physival file paths.
# Update YourMamboDirectory (just / for root)
# RewriteBase /
#
# Rules
#
ReWriteRule ^content(.*) index.php
ReWriteRule ^component/(.*) index.php
Options +SymlinksIfOwnerMatch
ErrorDocument 404 http://www.mediabox101.com/index.php?option=com_404
# deny most common except .php
<FilesMatch
"\.(inc|includes|tpl|h|ihtml|sql|ini|configuration|class|bin|spd|theme|module|modules|components|mambots|editor|media)$">
deny from all
</FilesMatch>
<Limit GET PUT POST>
Order Allow,Deny
Allow from all
</Limit>
<Files .htaccess>
order allow,deny
deny from all
</Files>
some components, including Phil’s Form component need access to the admin folder, so securing the entire folder is not an option. In this case you need to secure the index.php file:
Create two text files – one will be the htaccess the other should be htpasswd
In the htaccess paste the following code:
Code:
<Files .htpasswd>
deny from all
</Files>
<Files index.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /var/www/html/administrator/.htpasswd
</Files>
<Files .htaccess>
order allow,deny
deny from all
</Files>
paste the following in the htpasswd file:
Save both files using the aforementioned names.
In most cases the only line you will need to change is:
AuthUserFile /var/www/html/administrator/.htpasswd
Change /var/www/html/.to the exact path of your site.
Now use the
Salt Encrypter to generate your password. Simply key in the desired password, and a two letter salt value in the appropriate fields.
Change the .htpasswd to
yourusername:yourencryptedpassword
Upload both files to the mambo admin folder
In some (rare) instances the server might reject to password file
(some hosting set-ups will require the .htpasswd to be located in
a specific directory. In that case password protect the folder in
the normal manner through your hosts CP. Download the .htaccess
file it generated and look at the paths.
You should see something like this:
Code:
AuthUserFile /home/virtual/sitexx/xxx/var/www/.htpasswd
AuthGroupFile /home/virtual/sitexx/xxx/var/www/.htgroup
AuthName "username"
AuthType Basic
<Limit GET>
require group groupname
</Limit>
Phil Taylor Hacked!
Re: Phil Taylor Hacked!
Linear Mode
