Securing The Images Folder In Joomla
Overview
The images folder is one the most vulnerable Joomla folders, because it allows users to upload files to your website. That could lead to serious security problems. The file types allowed to upload should be restricted to its minimum.
We will use .htaccess to use several strategies to address this
problem.
.htaccess are simply distributed configuration files, they “provide
a way to make configuration changes on a per-directory basis”.
In the images folder we can:
- Disable script execution
- Select which files you can upload to it
- Select which files you can NOT upload to it
Strategies
Disable script execution in images folder
By default Joomla images directory is located in the /images folder,
in this directory we add .htaccess with the following content:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
We used the Apache Options Directive and AddHandler Directive:
First we tell Apache to treat the files ending with the above extensions as CGI scripts, i.e.: be served by mod_cgi handler, then we prevent the execution of those CGI scripts.
The Options directive controls which server features are available in a particular directory.
.htaccess whitelist
We can specify which file types we allow users to upload to the
images folder:
<FilesMatch ".+\.(gif|jpe?g|png|pdf)$">
Allow from all
</FilesMatch>
That will allow the above filenames extensions and block every other extension from getting into the folder.
The
directive limits the scope of the enclosed directives by filename, just as the directive does. However, it accepts a regular expression
.htaccess blacklist
Instead of specifying which files we allow to upload, here we tell Apache to deny the upload of files with these extensions:
<FilesMatch "\.(asp|sh|php|php5|pl)$">
Deny from all
</FilesMatch>
Conclusion
I found a good strategy to always disable script execution and
then also select from one of the other two methods, .htaccess whitelist or
blacklist, so if the attacker even handle to upload the file it won’t
get their scripts executed.
References
- Apache docs http://httpd.apache.org/docs/current
- Apache HTTP Server Tutorial: .htaccess files http://httpd.apache.org/docs/current/howto/htaccess.html
- Apache FilesMatch Directive https://httpd.apache.org/docs/2.4/mod/core.html#filesmatch
- Security Checklist/You have been hacked or defaced https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
*[CGI]: Common Gateway Interface
- Find Out If Your Joomla Site Has Been HackedJanuary 26, 2017
- Securing The Images Folder In Joomla
- Joomla Security Tips ChecklistJanuary 8, 2017
Articles
Except as otherwise noted, the content of this page is licensed under CC BY-NC-ND 4.0 . Terms and Policy.
Powered by SimpleIT Hugo Theme
·