Уязвимости и их устранение. Защита от разных способов взлома.

Disable frontend login with .htaccess

Sergej » 17 ноя 2019, 19:09

This is the resume post, based on several preceded in russian thread:
viewtopic.php?f=17&t=235#p831
viewtopic.php?f=17&t=235#p832
viewtopic.php?f=17&t=235&start=10#p833
In advance, sorry for my not perfect English ;)

Ок. Disable frontend login with .htaccess



As far as i know, there is no option in Joomla admin panel for totally disable access to frontend login form.
On Joomla's forum one "expert" suggested me to disable login module via database. I have tried viewtopic.php?f=3&t=228#p834 and nothig..

After googling problem, understending that in ALL INTERNET there is no a solution! We decided that blocking this form via server configuration (E.g. via .htaccess) is the best solution, without Joomla's core hacking. Our members, especially Александр started research Apache manuals.

We can access Joomla's frontend login page at least through these URIs:
  • /index.php?option=com_users&view=login
  • /index.php?option=com_users
  • /?option=com_users
If the SEF is enabled, these URIs are also available:
  • /index.php/component/users
  • /component/users
As you can see, we have only one common token "users".
But it would be too broad to block all URIs, containing token "users".
And we can't be 100% sure that the above list of Frontend login form URIs is exhaustive.

We can use at least two approaches with .htaccess:
1. Mod_alias Redirect directives
2. Mod_rewrite directives

But before to see ultimate .htaccess ruleset, we need a little bit of theory

  • Mod_alias (Redirect directives) doesn't deal with Query String;
  • In case of /index.php/component/users "component/users" is a PATH_INFO.
    PATH_INFO is an environment variable set by Apache. It contains trailing pathname information that follows an actual filename or non-existent file in an existing directory, whether the request is accepted or rejected.
    Mod_alias (Redirect directives) and RewriteRule directives don't deal with PATH_INFO. We can check it only in RewriteCond sections;
  • RewriteRule directives have issues with intentionally double, triple etc slashes.
    What am I about? I am about this: //index.php/component/users, /index.php/component/users//, //?option=com_users, /?option=com_users//
    We didn't dive deep into this problem, but we understood that RewriteRule patterns can't be used! Only RewriteConds;
  • To prevent redirect with Query String we append question mark "?" to the end of the redirect URL;
  • Presumably, Mod_alias Redirect gives less load on server vs Mod_rewrite directives. Why not use it.

Enough with theory!

Ultimate .htaccess ruleset to disable Joomla's frontend login we tested:
Код: Выделить всё
Redirect 301 "/component/users" "http://gonowhereintoblackhole.com?"
RewriteCond %{QUERY_STRING} .*option=com_users.* [NC,OR]
RewriteCond %{PATH_INFO} .*component/users.* [NC]
RewriteRule (.*) http://gonowhereintoblackhole.com? [R=301,L]


Any enhancements are appreciated!
Sergej
 
Сообщения: 25
Зарегистрирован: 15 сен 2014, 21:44

Вернуться в Безопасность