Support

Admin Tools

#9699 New code for .htaccess

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 20 November 2010 08:16 CST

user17877
I think you should add some extra protection like this one (to created .htaccess file):

ServerSignature Off
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]

RewriteCond %{HTTP_REFERER} ^(.*)(|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:||”>|”

steph.s
In Admin Tools Pro there is an option to add additional password security to the Joomla Admin.

nicholas
Akeeba Staff
Manager
There's a good reason why none of this is currently present :) The ServerSignature directive is not supported on most shared hosts (it is set in the system-wide httpd.conf file) and throws 500 error, that's why it's not there. The second rule kills many CDNs, browser cache control (it needs to do a HEAD request to get the 304 response), some HTTPS implementations (they need to run TRACE during the handshake) and RESTful APIs such as those provided by all Nooku-powered components. The third rule can potentially kill some form submissions and multiline input. The other rules are basic anti-XSS rules, however Joomla! itself does this kind of handling during application initialization. Duplicating them in the .htaccess file only slows down the request.

The CAPTCHA is a good idea, I'll look into it. I am not sure if it can be implemented without a template override, but it is worth examining. ReCAPTCHA would be good enough for your needs?

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

user17877
1) thanks, you know better than me ;)
2) yes - ReCAPTCHA should be okey , but it will be easer (?) to add simple match code (3+4 = ??) hackers spiders don't like it, still

3) I think you should, also, update your documentation about this Tool

4) look at attachments it's polish plugin to protect usernames plg_spadaj(getlost)

nicholas
Akeeba Staff
Manager
I was thinking about the "math quiz" CAPTCHA, but it's a simple matter of time before a hacker manages to break this (which is VERY trivial to perform). I mean, if you want to protect your login from brute force cracking, the match CAPTCHA is the least effective means. It's best to put higher obstacles in the course of the hacker. Protecting your entire administrator area with a username and password (included in Admin Tools Core) works wonders. Adding a secret query parameter and filtering by IP when possible (both included in Admin Tools Professional) seriously hampers hackers' ability to even get to your login. The math CAPTCHA can be defeated about a thousand times more easily than ReCAPTCHA, so I'll opt for the latter.

Why the match CAPTCHA is easy to defeat? In order to make it universal, it has to produce standard numbers and math symbols (+, -, /, *). The HTML can be randomized only that much. If a hacker wants to brute force his way into your site, writing a tool to parse the math quiz is ten minutes work and provides 100% accuracy. This would, essentially, provide snakeoil security. Writing code to defeat ReCAPTCHA is many months work and doesn't guarantee 100% success.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!