Joomla, magic quotes, shared hosting

apps

#1

Hello,
recently i had an attack on a website of mine running Joomla (on another hosting company with Magic quotes ON but Register globals OFF), so, now i’m much exigent in terms of security.
I saw all discussions in this forum about “magic quotes” in php5 and the thing that is not considered dangerous.
I fear it can be “dangerous” because every joomla-based web-community use many external components
like galleries, games, calendars and so on… and the security of the code is not completely guaranteed…

During the attack of my website i’ve found many attempt to put SQL injection and this seem easiest if magic quotes are OFF.

this is an example of the attack code i’ve found in the statistics of my website:

[color=#CC0000]
01/01/2008 17:04:06 - http://www.xxxxxx.xx/index.php?option=com_puarcade&Itemid=92&fid=-1 union select concat(username,0x3a,password) from jos_users–
01/01/2008 17:05:07 - http://www.xxxxxx.xx/component/option,com_puarcade/Itemid,92/fid,-1 union select concat(username,0x3a,password) from jos_users–
[/color]

it has been tried also on other components than puarcade, like Jevent and others.

In internet i’ve found a page that explain the exploit attempt and put the finger on “Magic quotes” OFF:

http://www.milw0rm.com/exploits/4691

[color=#0000CC]

Vulnerability:
Input passed to the "catid" parameter is not properly verified before being used to sql query. 
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that "magic_quotes" is off.

[/color]

It is likely that my attack has been done due to Register globals and not due to magic quotes that was ON. But the code i’ve pasted here demonstrate that the hacker that attacked my website also tested for Magic Quotes related vulnerabilities. In this condition i don’t want to re-publish the website attending its return…

My intent is to switch “magic quotes” ON, as recommended by joomla devs, but i’m on a shared hosting here on Dreamhost.
On DH wiki i’ve found this:

[color=#0000CC]

Joomla! will run just fine with the default DreamHost setting, but if you are concerned about the "Security Warning" that is displayed, and would prefer to have Magic Quotes GPC set "ON" as recommended by the Joomla! development team, you can change this setting for use on your domain by installing your own version of PHP5, installing your own version of PHP4, or modifying your own copy of php.ini (for use with a local copy of DreamHost's default PHP installation) to change the setting.
~~~~~~~~~~~~~[/color]

I suppose this are instruction for dedicated or virtual server owners... there is a way to turn "magic quotes" ON also on a shared hosting plan?

Thanks
...excuse me for my poor english :)

Cris

#2

You are correct that there are Joomla! components that are not properly hardened, and in some instances, magic_quotes being ON can help make the software more secure. The Joomla! core, and many components, are coded in such a way the the magic_quotes setting is not relevant.

[quote]this is an example of the attack code i’ve found in the statistics of my website:
01/01/2008 17:04:06 - http://www.xxxxxx.xx/index.php?option=com_puarcade&Itemid=92&fid=-1 union select concat(username,0x3a,password) from jos_users–
01/01/2008 17:05:07 - http://www.xxxxxx.xx/component/option,com_puarcade/Itemid,92/fid,-1 union select concat(username,0x3a,password) from jos_users-- [/quote]
This code relies upon your leaving the table prefix set to the default “jos_users”. One way of “hardening” that is to use a different prefix (I use a different prefix for every installation).

[quote]Vulnerability:
Input passed to the “catid” parameter is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that “magic_quotes” is off.[/quote]
The newest version of Joomla! also salts the MD5 password, which adds another layer of security.

[quote]My intent is to switch “magic quotes” ON, as recommended by joomla devs, but i’m on a shared hosting here on Dreamhost.
On DH wiki i’ve found this:

Joomla! will run just fine with the default DreamHost setting, but if you are concerned about the "Security Warning" that is displayed, and would prefer to have Magic Quotes GPC set "ON" as recommended by the Joomla! development team, you can change this setting for use on your domain by installing your own version of PHP5, installing your own version of PHP4, or modifying your own copy of php.ini (for use with a local copy of DreamHost's default PHP installation) to change the setting.
~~~~~~~~~~~~~[/quote]
That section also applies to DreamHost shared hosting customers, and there are instructions for doing that in the DreamHost wiki:

[url=http://wiki.dreamhost.com/Installing_PHP5#Using_DreamHost.27s_PHP_5]http://wiki.dreamhost.com/Installing_PHP5#Using_DreamHost.27s_PHP_5[/url]
[url=http://wiki.dreamhost.com/Installing_PHP4]http://wiki.dreamhost.com/Installing_PHP4[/url]
[url=http://wiki.dreamhost.com/PHP.ini]http://wiki.dreamhost.com/PHP.ini[/url]
[url=http://wiki.dreamhost.com/Custom_PHP.ini]http://wiki.dreamhost.com/Custom_PHP.ini[/url]
[url=http://wiki.dreamhost.com/PHP_Magic_Quotes]http://wiki.dreamhost.com/PHP_Magic_Quotes[/url]

--rlparker

#3

Thanks for your quick and useful reply i will try to change the setting using the instructions on the wiki…
Maybe i will come here again for some help… :slight_smile:
Thanks
Cris


#4

You are welcome, and hopefully those wiki articles will give you what you need to know to make the setting change.

You are, of course always welcome! :wink:

–rlparker