Saturday, June 23, 2012

Joomla Security Fixes

Hosting security stuff

Turn off following settings in php.ini file



1.allow_url_fopen
allow_url_fopen allows PHP's functions such as file_get_contents() and the include and require statements can retrieve data from remote locations like an FTP or http protocol and could lead to code injection vulnerabilities,

You should disable allow_url_fopen in the php.ini file:

; Disable allow_url_fopen for security reasons
allow_url_fopen = 'off'

The setting can also be disabled in apache's httpd.conf file:
# Disable allow_url_fopen for security reasons
php_flag  allow_url_fopen  off

If you are using shared hosting use my php.ini file


2. display_errors setting
It should be turned off in production environment to hide annoying error messages.instead of showing erro messages we log them into to log file.

;in php.ini file
display_errors=off

log_errors =off

# Disable display_errors for security reasons
php_flag  display_errors  off
php_flag  log_errors  on


3.magic_quotes_gpc
When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NULs are escaped with a backslash automatically. This is to prevent all sorts of injection security issues.

if input data contains single or multiple quotes, data automatically escaped with slashes so multiply the problem by repeatedly re-escaping the escaped stuff and you end up with strings like
<a href=\"\\&quot;\\\\&quot;\\\\\\\\&quot;\\... !!

;in php.ini file
magic_quotes_gpc=off

Joomla security stuff

1. Use latest Joomla security update
    Get latest joomla updates from here http://joomlacode.org/gf/project/joomla/frs/

2. All the sql injection takes place through the jos_users table , first off all change the databse prefix

    execute the following queries to change table prefix names

SELECT CONCAT('RENAME TABLE ', GROUP_CONCAT('`', TABLE_SCHEMA, '`.`', TABLE_NAME, '` TO `', TABLE_SCHEMA, '`.`yourprefix_', TABLE_NAME, '`')) AS q
FROM   `information_schema`.`Tables` WHERE TABLE_SCHEMA='yourdatabasename';

Change the prefix name value in configuration.php file also
var $dbprefix = 'yourprefix_';


3.Use only secure third party plugins and keep them updated

4.Use secure username and password for administrators
use strongpasswordgenerator.com or some other tool to generate strong password

5.Use an SEF component that makes your Joomla more secure
use .htaccess files provided with joomla package (just rename htaccess.txt to .htaccess)


6.Write-protect your Joomla configuration file (make unwriteable)
set 444 permission to configuration.php


7.Delete Joomla templates and unnecessary files/folders that you do not use




No comments: