Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Transcription

1 1. HARDENING PHP Hardening Joomla 1.1 Installing Suhosin Suhosin is a PHP Hardening patch which aims to protect the PHP engine and runtime environment from common exploits, such as buffer overflows in PHP Core, or remote code execution within scripts, and allowing configuration of ingress filters, logging and alerts. To install Suhosin, follow the tutorial from the projects homepage here. Suhosin currently does not work with the latest branch (5.4) of PHP, due to certain functionality being removed from PHP 5.4 that Suhosin expects. Therefore, to use Suhosin, an earlier version of PHP must be used. 1.2 Disable Remote Includes allow_url_include (disabled by default) and allow_url_fopen (enabled by default) both allow the inclusion of remote PHP files based on a URL scheme or data stream. Disabling allow_url_include will stop any URLs being passed to the require or include functions, while still allowing fopen wrappers to open remote files. If opening remote files such as media is not required programmatically within the source code, then allow_url_fopen should also be disabled. 1.3 Disable Unneeded Functions & Classes Unneeded functions and classes, such as eval() or system(), which are not required within the Joomla website should be disabled from the php.ini file. Some high-risk functions include show_source, system, shell_exec, passthru, exec, phpinfo, proc_open, popen, eval, and highlight_file. 1.4Configure open_basedir Restriction of the open_basedir setting restricts PHP to opening files within a certain directory tree. Any attempt to open a file outside of this tree is denied by PHP. 1.5 display_errors PHP errors can disclose sensitive information such as file paths which could help a malicious user in attacking a website. display_errors, which is configured to true by default, should be set to false or, as of PHP 5.2.4, may instead be set to send error messages to the Standard Error output stream (stderr). 1.6 file_uploads Allowing the upload of arbitrary files through PHP could allow a malicious user to upload executable code, or files that can be used to further exploit an otherwise minor security hole such as local file inclusion. If possible the file_uploads configuration setting should be disabled, however this will stop website administrators, editors and other users from uploading images through the Joomla administration and new article panels. Any uploads must happen externally to the PHP runtime environment, for example, over FTP. 1.7 PHP Auditor The PHP Auditor, available here, will scan a PHP install for compliance with recommended security settings. These security settings are configurable via an XML file so that the recommended settings can be tweaked to a specific environment. This report should be checked periodically to ensure configuration options have not been accidentally reverted.

2 2. SET UP PERMISSIONS Proper configuration of file system permissions on Joomla files is essential to mitigate the risk of security flaws in the Joomla core or additional extensions used by the website being secured. Generally, files should be set to `chmod 644` while directories should be set to `chmod 755`. Additional folders that Joomla may require write access to should be configured individually. To configure permissions on all files and folders with the above permissions, run the following two commands from the shell, and from your root Joomla installation folder. 3. LIMIT ADMINISTRATION PANEL ACCESS Access to the Joomla administrator panel should be configured using an.htaccess file to limit access to a single IP or small subnet. This means that even in the event of an administrators session being stolen by a malicious user, for example through a cross-site scripting attack, the malicious user would not be able to perform any administration-level tasks on the Joomla website, such as posting new stories or modifying the source code via the theme editor. In the event that an administrator s IP does change, or they need to make an emergency change to the website from a different location, the.htaccess file may be modified manually by logging into the server using ssh or ftp. 4. DISABLE DIRECTORY BROWSING Each directory should have its file listing disabled, or a blank index page left in order to stop people viewing all files in a directory. This will protect any out of date files, configuration files or file backups that may have been forgotten to be removed from the server. These sensitive files could reveal internal configuration information, or perhaps even stored passwords. 5. CHANGE THE JOOMLA TABLE PREFIX find. type d exec chmod 755 {} \; find. type f exec chmod 644 {} \; The themes folder especially should be protected against write access by Joomla, as using the in-built Themes editor would allow a malicious user who has managed to gain control of the administrators session to insert a backdoor onto the website, allowing them to gain system access through commands such as exec(). Changing the Joomla table prefix protects the server from mass SQL Injection, or other database attack threats. This will help protect the website from automated exploitation in case of a new Joomla exploit being discovered, and will also reduce the speed at which a manual attacker can exploit the website. 6. INSTALL SECURITY-RELATED EXTENSIONS Many security-related Joomla extensions exist, from Intrusion Detection Systems to version trackers. All of these extensions are available via the Joomla Extension Directory. PHPIDS is a native PHP Web Application Firewall which runs independently of Joomla, designed for identifying potential exploit strings as they re sent inbound from the malicious attacker to your web server. PHPIDS can be configured to respond to different threats based on a score, ranging from logging a message for the website administrator to ending the malicious user s session.

3 6. INSTALL SECURITY-RELATED EXTENSIONS PHPIDS is designed to be lightweight and only runs its filters on suspicious requests, allowing through any request comprised of a-z, 0-9, or or _ characters, without passing these request parameters through the filters. To incorporate PHPIDS into a Joomla website, please see Appendix C. Joomla! Anti-Hacker Security Suite is a non-free Web Application Firewall with protection against attacks in a similar manner to PHPIDS. It also contains an Antivirus to scan files of a Joomla installation for any malware or viruses that malicious users may place on the server, either via legitimate file upload functionality available on the website, or by compromising the web server. Admin Tools Core helps lock down permissions on a Joomla installation by adding configurable Access Control Lists, rewriting of URLs from HTTP to HTTPS and changing Joomla PHP file permissions on the server. 7. KEEP ALL SOFTWARES AND EXTENSIONS UP-TO-DATE Joomla can automatically update itself if configured to do so. Running out of date software can lead to a major security breach as, as soon as a patch for an exploit is released, the exploit can be deduced from the patch in due to Joomla s open source nature. 8. INSTALL AN SSL CERTIFICATE Use of an unencrypted HTTP session could enable a malicious attacker, located on the same network as an administrator user, to hijack the administrators logged in session and fraudulently represent themselves as the websites administrator. They may also modify system files through the theme editor, affording them full access to the server that the blog is hosted on. 9. REMOVE THE JOOMLA VERSION NUMBER Automated scanners or malicious users manually attacking a Joomla installation may use the version number displayed by Joomla to determine if the installation is vulnerable to exploits. Removing the version number from display on the webpage will stop some basic scanners from determining which version of Joomla is running. 10. USE A.htaccess FILE OR SERVER CONFIGURATION FILE A.htaccess file is a file read by a HTTP server, such as apache, containing server configuration and access control rules on a per-directory basis. Proper configuration of a.htaccess file can block malicious users from downloading sensitive files, ban offending IP addresses from loading the website, and redirect HTTP requests to updated URLs. Refer here for htaccess or configuration file options. It is preferable to configure the server via a centralised configuration file, such as httpd.conf, as using.htaccess files can cause performance overheads. Any configuration options available via a.htaccess file are also available by modifying the global server configuration file.

4 11. CONTINUED MAINTENANCE All Joomla extensions should be checked regularly for issues or updates. Any extensions with unresolved security or stability issues should be revaluated for inclusion, and any available updates applied. Also, any extensions which are no longer in use should be disabled or, if possible, removed entirely. Regular requirement auditing should take place to identify these extensions. Core Joomla updates should be applied as soon as possible after their release and evaluation for compatibility with the existing websites. The server hosting the Joomla installation, and other infrastructure, should be patched and kept up-to-date in line with existing policies. 12. APPENDIX A - DISABLING PHP OPTIONS PHP configuration options, such as allow_url_fopen, may be enabled or disabled from within the php. ini configuration file. To modify these configuration settings, open php.ini, find the string in question (i.e., allow_url_fopen) and change the number on the line to 1 (enabled) or 0 (disabled). Other configuration options, such as disable_functions or open_basedir, are strings stored within php.ini. The PHP Manual details their syntax and available options. 13. APPENDIX B - CHECKLIST Title Yes No 1.1 Install Suhosin SERVER 1.2 Disable Remote Includes SERVER 1.3 Disable Unneeded Functions & Classes SERVER 1.4 Configure open_basedir SERVER 1.5 Suppress display_errors SERVER 1.6 Disable file_uploads SERVER 1.7 Execute PHP Auditor SITE 2 Configure Permissions SERVER 3 Limit Administrator Panel Access BOTH 4 Disable Directory Browsing SERVER 5 Change The Joomla Database Table Prefix SITE 6 Install Security Related Extensions SITE 7 Keep All Software and Extensions Up-To-Date SITE 8 Install An SSL Certificate SERVER 9 Remove The Joomla Version Number SITE 10 Use A.htaccess File Or Server Configuration File BOTH

5 13. APPENDIX C - LIST OF POTENTIALLY EXPLOITABLE PHP FUNCTIONS Based on the list of exploitable or abusable PHP functions made available here. Please see the PHP manual for more information on each below function in order to determine which should be disabled on your server. Command Execution Exec passthru system shell_exec / ` ` popen proc_open pcntl_exec PHP Code Evaluation eval assert preg_replace create_function dl include[_once] require[_once] Information Disclosure phpinfo posix_mkfifo posix_getlogin posix_ttyname getenv get_current_user proc_get_status get_cfg_var disk_free_space disk_total_space diskfreespace getcwd getlastmod getmygid getmyinode getmypid getmyuid extension_loaded Returns last line of command output Returns command output to browser Returns command output to browser Returns command output to browser Opens read/write pipe to a process Opens read/write pipe to a process Executes a command evaluates PHP code see eval() Requires the e modifier to be present Creates function with user supplied code Loads an extension library May include local or remote files May include local or remote files Displays sensitive configuration settings Returns environment variables Returns the owner of the PHP script Get information about a process Displays sensitive configuration settings Displays the current path of a PHP script Displays the last modification time Displays if an extension is loaded

6 14. APPENDIX D - INCORPORATING PHPIDS WITH JOOMLA PHPIDS should be included within the index.php file for execution before any other PHP code. To do this, add an include or require to a customised configuration file as detailed within the docs/example.php file within the PHPIDS source code zip file. Add one of the following lines to the beginning of index.php: include example.php ; or require example.php ;