CMS MAMBO JOOMLA

How can I secure my site from hacking attempts?

Keeping up to date with our extension updates is the best way to ensure you have all the bug fixes and security issues addressed.

If you are using Mosets Tree 1.50 - 1.58, please upgrade to 1.59 or the latest releases from 2.0.x series. Additionally, make sure the following two configurations are disabled:

  • Joomla! Register Globals Emulation: OFF
  • Register Globals: OFF
You can check these configuration in your site's back-end under System > System Info.

There is also a set of mod_rewrite rules that are available in Joomla's .htaccess (renamed from htaccess.txt) file that will block out a lot of common exploits used to attack your Joomla website. To activate these rules, rename htaccess.txt to .htaccess and make sure the last section of the file looks like this:

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

ArtioSEF performance hack

Yes, I'm obsessed with caching.

There are reasonable reasons to use it, too.  I got banned by my shared hosting provider for eating up 100% CPU with sql queries. Why did this happen? Because ArtioSEF is performing a query for every URL on you Joomla site each time you load a page. All the menus, pagination links, forum links, category views, call sefRelToAbs to translate a regular URL into a SEF optimized URL.

So I thought, what happens if we cache succesful SELECT  queries from the ArtioSEF #__redirection table?

It's a good thing, because you get your account unbanned ;)

 

This is a core hack. You need to re-apply it if reinstalling or upgrading Joomla!.  It's made and tested by me on Joomla 1.0.12

Here's what you need to do:

Download  database.modified , rename it to database.php and  place it in your /includes folder (overwrite the existing file)

OR 

-backup your includes/database.php 

-open your includes/database.php 

-locate the loadResult function. It should be at line 432 

function loadResult() {

 delete everything between 

/**
* This method loads the first field of the first row returned by the query.
*
* @return The value returned in the query or null if the query failed.
*/

AND

   /**
* Load an array of single field results into an array
*/

 , and paste this modified loadResult function instead:

   function loadResult() {
 
$ret = null;
/*
* mod by teachmejoomla
*/
if(stripos($this->_sql,'mos_redirect')&&stripos($this->_sql,'select')!==false)
{
$cachename = md5($this->_sql);
global $mosConfig_absolute_path;
global $mosConfig_cachepath, $mosConfig_cachetime;
require_once( $mosConfig_absolute_path . '/includes/Cache/Lite/Function.php' );
//echo $this->_sql;  
$lifetime=$mosConfig_cachetime;
$cache = new Cache_Lite( 
array("cacheDir" => $mosConfig_cachepath, 
"lifeTime" =>  $lifetime) );
 
 
if ($cachedquery = $cache->get($cachename)) 
{
//echo "CACHE HIT: $this->_sql<br />";
$row = unserialize($cachedquery);
}
 
else
{
//echo "CACHE MISS: $this->_sql<br />";
/* 
* moved
*/
if (!($cur = $this->query())) {
$cache->delete();
return null;
}
/*
*
*/
$row = mysql_fetch_row( $cur ); 
if ($row) $cache->save(serialize($row),$cachename);
      mysql_free_result( $cur );
      //print_r($this->_cursor);
}
$ret = $row[0];
}
else
/*
*
*/
{
if (!($cur = $this->query())) {
return null;
}  
if ($row = mysql_fetch_row( $cur )) {
$ret = $row[0];
}
mysql_free_result( $cur );
}
return $ret;
}
Save and enjoy!

About core hacking


What is core-hacking?

Joomla is designed for flexibility and modularity. It provides several layers to change the way content gets displayed and organized. You can customize content display in Global Configuration, Menu item type and parameters, or use a mambot to hide/show,replace, highlight text strings, author names, etc.

However, there are some things you just can't change using the administration backend. These changes can only be made by manually editing the Joomla PHP source files.

Many people also modify component,

Modules are installable and configurable via the administration backend 

Modules, mambots and components are also referred to using the general term extensions.

', STICKY, CLOSECLICK, CAPTION, 'module',BELOW,CENTER, WIDTH, 300, FGCOLOR, '#EEEEEE', BGCOLOR, '#00325E', TEXTCOLOR, '#000000', CAPCOLOR, '#FFFFFF', OFFSETX, 0, OFFSETY, 0);">module
or mambot PHP code to get the desired results

 Do I need core-hacking?

Core-hacking is required for some components to work. (Mambelfish is the only example i have in mind right now). You should only use it if you have no other alternatives. The Joomla core files are overwritten during a Joomla version upgrade. You need to re-hack the code after an upgrade, and you don't know if it's going to work with the new version. Use with caution on "live" sites.

First of all, you need to know that hacking the core files may affect overall Joomla/Mambo behaviour, as well as component/module/mambot functionality. Afterall, this is what you want when you decide  to core-hack Joomla.