Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Why Does This htaccess Securing Not Work? 
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Trying to get a few security related rules working for someone but struggling with weird behaviour.

This is the standard Magento htaccess rewrite, which works fine:

<IfModule mod_rewrite.c>

############################################
## enable rewrites

    
Options +FollowSymLinks
    RewriteEngine on

############################################
## you can put here your magento root folder
## path relative to web root

    #RewriteBase /magento/

############################################
## workaround for HTTP authorization
## in CGI environment

    
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

############################################
## always send 404 on missing files in these folders

    
RewriteCond %{REQUEST_URI} !^/(media|skin|js)/

############################################
## never rewrite for existing files, directories and links

    
RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond 
%{REQUEST_FILENAME} !-d
    RewriteCond 
%{REQUEST_FILENAME} !-l

############################################
## rewrite everything else to index.php

    
RewriteRule .* index.php [L]

</IfModule>

I’m trying to add in this:

### J.T. Edit via http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
 
#### @RS if the request contains /proc/self/environ
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
#### @RS
 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\&#x3D;) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\[OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|&#x3C;).*script.*(\>|&#x3E;) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}[OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
### End J.T. Edit

Now try to access: http://www.shop.com/index.php?option=<script>

That should yield a 403.

With the original Magento rewrite still there, it won’t work. Remove Mage’s original code and just have that edit, it works, we see a 403.

Here’s what I have complete:

<IfModule mod_rewrite.c>

############################################
## enable rewrites

    
Options +FollowSymLinks
    RewriteEngine on

############################################
## you can put here your magento root folder
## path relative to web root

    #RewriteBase /magento/

### J.T. Edit via http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
 
#### @RS if the request contains /proc/self/environ
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
#### @RS
 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\&#x3D;) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\[OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|&#x3C;).*script.*(\>|&#x3E;) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}[OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
### End J.T. Edit

############################################
## workaround for HTTP authorization
## in CGI environment

    
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

############################################
## always send 404 on missing files in these folders

    
RewriteCond %{REQUEST_URI} !^/(media|skin|js)/

############################################
## never rewrite for existing files, directories and links

    
RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond 
%{REQUEST_FILENAME} !-d
    RewriteCond 
%{REQUEST_FILENAME} !-l

############################################
## rewrite everything else to index.php

    
RewriteRule .* index.php [L]

</IfModule>

I don’t get why together, it doesn’t trigger the <script> 403.  (I’m well aware this forum messed up what I actually pasted)

It basically reads:

If we see this exploit, OR this one, OR this one, OR this one, redirect to index.php with a 403, stop processing rules.
If we’re not in the media/skin/js folder AND we’re not looking at an existing file, rewrite it to index.php, stop processing rules.

Why, when combined, do they not work? Same problem when I move the J.T. Edit below Mage’s original rewrite.

Admittedly not a htaccess guru but this has me stumped. Any Advice?

 
Magento Community Magento Community
Magento Community
Magento Community
 
edmondscommerce
Guru
 
Avatar
Total Posts:  342
Joined:  2008-08-26
 

how about instead of rewriting, you just create a 403.php page and redirect to that rather than rewriting?

so

#### @RS if the request contains /proc/self/environ
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
#### @RS
 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\&#x3D;) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\[OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|&#x3C;).*script.*(\>|&#x3E;) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}[OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to 403 with 403 Forbidden error! (or more sneakily a 500 error, or whatever).
RewriteRule ^(.*)$ 403.php [R]
 
Magento Community Magento Community
Magento Community
Magento Community
 
Martin
Guru
 
Avatar
Total Posts:  445
Joined:  2007-08-31
Brno | London | Los Angeles
 

Add one more rule for another attack type:

## Block out any request containing /etc/passwd
RewriteCond %{QUERY_STRING} etc\/passwd [OR]

I just saw the attempt to access /etc/passwd in client’s logs a few minutes ago ...

 
Magento Community Magento Community
Magento Community
Magento Community
 
Martin
Guru
 
Avatar
Total Posts:  445
Joined:  2007-08-31
Brno | London | Los Angeles
 

And you may find useful also this section:

## Block other useful stuff
RewriteCond %{REQUEST_METHOD}  ^(HEAD|TRACE|DELETE|TRACK[NC,OR]
RewriteCond 
%{THE_REQUEST}     ^.*(\\r|\\n|&#x0A;|&#x0D;).* [NC,OR]
 
RewriteCond %{HTTP_REFERER}    ^(.*)(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{HTTP_COOKIE}     ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
 
RewriteCond 
%{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond 
%{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond 
%{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond 
%{HTTP_USER_AGENT} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
 
#Block MySQL injects
RewriteCond %{QUERY_STRING}    ^.*(;|<|>|’|”|\)|&#x0A;|&#x0D;|&#x22;|&#x27;|&#x3C;|&#x3E;|&#x00;).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
 
RewriteCond %{QUERY_STRING}    ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond 
%{QUERY_STRING}    ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond 
%{QUERY_STRING}    ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC]

# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
 
Magento Community Magento Community
Magento Community
Magento Community
 
edmondscommerce
Guru
 
Avatar
Total Posts:  342
Joined:  2008-08-26
 

Thanks Martin - J.T. - did you get yours working?

Also - what are you concerns regarding performance when using what could end up being a very large set of conditions and rules?

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Thanks guys, not tried them yet.

I’ll stick them in a txt file and attach them, as this bloody forum keeps messing up special characters, not handy with precise htaccesss rules like these.

Performance-wise, I don’t think it’ll be a big problem but I’m doing this for somebody’s budget hosting, so they can’t expect much in terms of performance to begin with.

I’m not sure how efficient Apache is with rules like these. I use Litespeed myself, so I would put them in the virtual host configuration, rather than htaccess files and would expect quite a nippy performance, even with lots of rules like this.

Thanks for adding to them, hopefully I can soon combine them all into one master file that sorts out these annoying hack attempts.

 
Magento Community Magento Community
Magento Community
Magento Community
 
edmondscommerce
Guru
 
Avatar
Total Posts:  342
Joined:  2008-08-26
 

just to clarify - its perfectly possible to put these kinds of rules in apache vhost configuration files as well.. or even better use something like mod_security to achieve the desired effects, but thats for another thread I suppose

 
Magento Community Magento Community
Magento Community
Magento Community
 
Martin
Guru
 
Avatar
Total Posts:  445
Joined:  2007-08-31
Brno | London | Los Angeles
 

Right, but if the store is hosted on some shared hosting (!), than the .htaccess is the only way as you usually do not have the access to your vhost config files ... at least here in CZ.

Another way could be also implementing some soft PHP firewall grabing all requests and parsing them through some filter - but I think that it would be slower than .htaccess / vhost config rules, especially if the filter would be configurable with filter conditions stored in DB ...

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Htaccess woudl be easiest for the vast number of people who insist on using Magento on a cheapskate “newbie” environment. They’ll know how to upload a htaccess file, or edit one. But vhosts will be beyond their comprehension. So indeed the goal here is to come to a decent set of htaccess based rules that tackle most of the currently known Magento-related (though not necessarily Magento’s fault) hacks.

@Martin, check this post where I indeed made such a quick PHP based protection filter:

http://www.magentocommerce.com/boards/viewreply/276654/

That could be another/additional avenue for very specific attacks. Or the index.php could be expanded with one include, which could be like a security.php file they can upload in the root, which then has a PHP version of those htaccess rules in there.

So there’s a few low-tech ways around these issues that I’m exploring. Hopefully we can come to something that is easily pastable and quite useful.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top