Joomla, magic quotes, shared hosting

Joomla, magic quotes, shared hosting

Posted by: Coolcris
Posted on: 2008-01-04 18:28:00

Hello,
recently i had an attack on a website of mine running Joomla (on another hosting company with Magic quotes ON but Register globals OFF), so, now i'm much exigent in terms of security.
I saw all discussions in this forum about "magic quotes" in php5 and the thing that is not considered dangerous.
I fear it can be "dangerous" because every joomla-based web-community use many external components
like galleries, games, calendars and so on... and the security of the code is not completely guaranteed...

During the attack of my website i've found many attempt to put SQL injection and this seem easiest if magic quotes are OFF.

this is an example of the attack code i've found in the statistics of my website:


01/01/2008 17:04:06 - http://www.xxxxxx.xx/index.php?option=com_puarcade&Itemid=92&fid=-1 union select concat(username,0x3a,password) from jos_users--
01/01/2008 17:05:07 - http://www.xxxxxx.xx/component/option,com_puarcade/Itemid,92/fid,-1 union select concat(username,0x3a,password) from jos_users--


it has been tried also on other components than puarcade, like Jevent and others.

In internet i've found a page that explain the exploit attempt and put the finger on "Magic quotes" OFF:

http://www.milw0rm.com/exploits/4691


~~~~~~~~~~~~~
Vulnerability:
Input passed to the "catid" parameter is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that "magic_quotes" is off.
~~~~~~~~~~~~~


It is likely that my attack has been done due to Register globals and not due to magic quotes that was ON. But the code i've pasted here demonstrate that the hacker that attacked my website also tested for Magic Quotes related vulnerabilities. In this condition i don't want to re-publish the website attending its return...

My intent is to switch "magic quotes" ON, as recommended by joomla devs, but i'm on a shared hosting here on Dreamhost.
On DH wiki i've found this:


~~~~~~~~~~~~~
Joomla! will run just fine with the default DreamHost setting, but if you are concerned about the "Security Warning" that is displayed, and would prefer to have Magic Quotes GPC set "ON" as recommended by the Joomla! development team, you can change this setting for use on your domain by installing your own version of PHP5, installing your own version of PHP4, or modifying your own copy of php.ini (for use with a local copy of DreamHost's default PHP installation) to change the setting.
~~~~~~~~~~~~~

I suppose this are instruction for dedicated or virtual server owners... there is a way to turn "magic quotes" ON also on a shared hosting plan?

Thanks
...excuse me for my poor english :)

Cris


Re: Joomla, magic quotes, shared hosting

Posted by: rlparker
Posted on: 2008-01-04 18:52:00

You are correct that there *are* Joomla! components that are not properly hardened, and in some instances, magic_quotes being ON can help make the software more secure. The Joomla! core, and many components, are coded in such a way the the magic_quotes setting is not relevant.

In reply to:

this is an example of the attack code i've found in the statistics of my website:
01/01/2008 17:04:06 - http://www.xxxxxx.xx/index.php?option=com_puarcade&Itemid=92&fid=-1 union select concat(username,0x3a,password) from jos_users--
01/01/2008 17:05:07 - http://www.xxxxxx.xx/component/option,com_puarcade/Itemid,92/fid,-1 union select concat(username,0x3a,password) from jos_users--

This code relies upon your leaving the table prefix set to the default "jos_users". One way of "hardening" that is to use a different prefix (I use a different prefix for every installation).

In reply to:

Vulnerability:
Input passed to the "catid" parameter is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that "magic_quotes" is off.

The newest version of Joomla! also salts the MD5 password, which adds another layer of security.

In reply to:

My intent is to switch "magic quotes" ON, as recommended by joomla devs, but i'm on a shared hosting here on Dreamhost.
On DH wiki i've found this:


~~~~~~~~~~~~~
Joomla! will run just fine with the default DreamHost setting, but if you are concerned about the "Security Warning" that is displayed, and would prefer to have Magic Quotes GPC set "ON" as recommended by the Joomla! development team, you can change this setting for use on your domain by installing your own version of PHP5, installing your own version of PHP4, or modifying your own copy of php.ini (for use with a local copy of DreamHost's default PHP installation) to change the setting.
~~~~~~~~~~~~~

That section also applies to DreamHost shared hosting customers, and there are instructions for doing that in the DreamHost wiki:

http://wiki.dreamhost.com/Installing_PHP5#Using_DreamHost.27s_PHP_5
http://wiki.dreamhost.com/Installing_PHP4
http://wiki.dreamhost.com/PHP.ini
http://wiki.dreamhost.com/Custom_PHP.ini
http://wiki.dreamhost.com/PHP_Magic_Quotes

--rlparker

Re: Joomla, magic quotes, shared hosting

Posted by: Coolcris
Posted on: 2008-01-05 09:35:00

Thanks for your quick and useful reply i will try to change the setting using the instructions on the wiki...
Maybe i will come here again for some help... :)
Thanks
Cris

Re: Joomla, magic quotes, shared hosting

Posted by: rlparker
Posted on: 2008-01-05 11:26:00

You are welcome, and hopefully those wiki articles will give you what you need to know to make the setting change.

In reply to:

Maybe i will come here again for some help... :)

You are, of course always welcome! wink

--rlparker


Tags: php5hosting companycalendarsquotesstatisticsgamesphp5hosting companycalendarsquotesstatisticsgames