recently i had an attack on a website of mine running Joomla (on another hosting company with Magic quotes ON but Register globals OFF), so, now i’m much exigent in terms of security.
I saw all discussions in this forum about “magic quotes” in php5 and the thing that is not considered dangerous.
I fear it can be “dangerous” because every joomla-based web-community use many external components
like galleries, games, calendars and so on… and the security of the code is not completely guaranteed…
During the attack of my website i’ve found many attempt to put SQL injection and this seem easiest if magic quotes are OFF.
this is an example of the attack code i’ve found in the statistics of my website:
01/01/2008 17:04:06 - http://www.xxxxxx.xx/index.php?option=com_puarcade&Itemid=92&fid=-1 union select concat(username,0x3a,password) from jos_users–
01/01/2008 17:05:07 - http://www.xxxxxx.xx/component/option,com_puarcade/Itemid,92/fid,-1 union select concat(username,0x3a,password) from jos_users–
it has been tried also on other components than puarcade, like Jevent and others.
In internet i’ve found a page that explain the exploit attempt and put the finger on “Magic quotes” OFF:
Input passed to the "catid" parameter is not properly verified before being used to sql query.
This can be exploited thru the browser and get the hash md5 password from users.
Successful exploitation requires that "magic_quotes" is off.
It is likely that my attack has been done due to Register globals and not due to magic quotes that was ON. But the code i’ve pasted here demonstrate that the hacker that attacked my website also tested for Magic Quotes related vulnerabilities. In this condition i don’t want to re-publish the website attending its return…
My intent is to switch “magic quotes” ON, as recommended by joomla devs, but i’m on a shared hosting here on Dreamhost.
On DH wiki i’ve found this:
Joomla! will run just fine with the default DreamHost setting, but if you are concerned about the "Security Warning" that is displayed, and would prefer to have Magic Quotes GPC set "ON" as recommended by the Joomla! development team, you can change this setting for use on your domain by installing your own version of PHP5, installing your own version of PHP4, or modifying your own copy of php.ini (for use with a local copy of DreamHost's default PHP installation) to change the setting.
I suppose this are instruction for dedicated or virtual server owners... there is a way to turn "magic quotes" ON also on a shared hosting plan?
...excuse me for my poor english :)