Checking for XSS and dodgy patch to fix. - Joomla! Forum - community, help and support

-

having been notified 1 of sites after had xss vunerability. :-[

i suggest check sites not on website http://www.xssed.org  >:(

i have hacked comment preventing vote option prevent xss until such time true fix occurs. ;)

there loads of joomla sites affected. :-\hi!
i try in english, hope can understand
i thing best can is  don't use vulnerable extensions; but, if not sure that, can try 1 "extra protection"

can use .htaccess  + mod_rewrite?

this 1 can stop lot of xss intrusions, scanners, etc:

code: select all

rewriteengine on

options +followsymlinks
#evitar escaneos y cualquier tipo de inyección o manipulación malintencionada
# de la url. con esta regla es imposible lanzar ataques de inyección (sql, xss,
#etc)
rewritecond %{http_user_agent} ^$ [or]
rewritecond %{http_user_agent} ^(-|\.|') [or]
rewritecond %{http_user_agent} ^(.*)(<|>|%3c|%3e)(.*) [nc,or]
rewritecond %{http_user_agent} ^(java|curl|wget)(.*) [nc,or]
rewritecond %{http_user_agent} ^(.*)(libwww-perl|libwwwperl|snoopy|curl|wget|winhttp|python|nikto|scan|clshttp|archiver|loader|email|harvest|fetch|extract|grab|miner|suck|reaper|leach)(.*) [nc,or]

rewritecond %{request_uri} ^(/,|/;|/<|/>|/'|/`|/%2c|/%3c|/%3e|/%27|/////) [nc,or]
rewritecond %{http_referer} ^(.*)(%00|%08|%09|%0a|%0b|%0c|%0d|%0e|%0f|%2c|<|>|'|%3c|%3e|%26%23|%27|%60)(.*) [nc,or]
rewritecond %{query_string} ^(.*)(%00|%08|%09|%0a|%0b|%0c|%0d|%0e|%0f|%2c|%3c|%3e|%27|%26%23|%60)(.*) [nc,or]
rewritecond %{query_string} ^(.*)('|-|<|>|,|/|\\|\.a|\.c|\.t|\.d|\.p|\.i|\.e|\.j)(.*) [nc,or]
rewritecond %{http_cookie} ^(.*)(<|>|'|%3c|%3e|%27)(.*) [nc]
rewriterule .* - [f]
# optional, if want redirect forbidden error url, uncomnent next line
# errordocument 403 http://www.domain.com


try 1 carrefully, working fine me on "test-site"; but, practce recent. found original lines in ]www.0x000000.com  , change last "rewiterule" original.


you can enable rules configuring directly "virtual file" or "httpd.conf/apache2.conf of server)

you can aply same protection, using particular mod_security rules, "mod_security" (using .htaccess enable rules or configuring  directly "virtual file" or "httpd.conf/apache2.conf)

cheers





Comments

Post a Comment

Popular posts from this blog

DHT11 Time out error using v0.4.1library

-
Image
i'm struggling dht11 sensor work on arduino. code compiles without problems in serial monitor output keep on getting " read sensor: time out error" i've tried multiple libraries, adafruit etc still none of them worked. set serial monitor same speed (115200) didn't fix problem.  i'm using:  mega2560  dht11 temp+hum sensor windows10 x64 arduino 1.6.9 library dht11.h v0.4.1 source:  http://playground.arduino.cc/main/dht11lib wiring : blue = gnd yellow = 2 red = 5v (also see picture)  my code:    code: [select] #include <dht11.h> // //   file:  dht11_test1.pde // purpose: dht11 library test sketch arduino // //celsius fahrenheit conversion double fahrenheit(double celsius) {   return 1.8 * celsius + 32; } // fast integer version rounding //int celcius2fahrenheit(int celcius) //{ //  return (celsius * 18 + 5)/10 + 32; //} //celsius kelvin conversion double kelvin(double celsius) {   return ...
Read more

Sketch upload fails with Java error (___REMOVE___/bin/avrdude)!

-
hi, i'm getting same error despite have tried 2 boards , done arduino reinstall in windows 7 machine! while trying update "bareminimum" in verbose mode: code: [select] arduino: 1.8.0 (windows 7), board: "arduino/genuino uno" sketch uses 450 bytes (1%) of program storage space. maximum 32256 bytes. global variables use 9 bytes (0%) of dynamic memory, leaving 2039 bytes local variables. maximum 2048 bytes. ___remove___/bin/avrdude -c___remove___/etc/avrdude.conf -v -patmega328p -carduino -pcom8 -b115200 -d -uflash:w:c:\users\rui\appdata\local\temp\arduino_build_445303/bareminimum.ino.hex:i java.io.ioexception: cannot run program "___remove___/bin/avrdude": createprocess error=2, system cannot find file specified  at java.lang.processbuilder.start(processbuilder.java:1048)  at processing.app.helpers.processutils.exec(processutils.java:26)  at cc.arduino.packages.uploader.executeuploadcommand(uploader.java:129)  at cc.arduino.p...
Read more

Arduino Uno + KTY81/210 temperature sensor

-
Image
hi, sorry, new , unsure lot of things, need clarification. haven't found information explains how , why things work, "do this, that" i following guide ( arduino-thermistor-temperature-sensor-tutorial ) connect thermistor arduino uno. here temperature sensor information: temp. sensor 2000r +-1% to92 part.no.:   kty81-210 name:   temp. sensor 2000r +-1% to92 description:   2.5mm, 1980...2020ohm, -55...+150°c and here sensor's data-sheet: sensor data-sheet i have connected same way in guide. works , values being serial printed. what don't understand: 1. thermistor's , resistor's ohm value should equal, correct? in case 2000 ohm? 2. thermistor has ptc, i'm guessing have invert math or use ntc thermistor instead correct values? (currently resistance goes temperature goes down) 3. understand code uses steinhart-hart math logic convert resistor value temperature value, need a, b , c coefficients of thermis...
Read more