Many attacks are occurring because of sites' extensions vulnerable to SQL injection or LFI (local file inclusion); this simple plugin increases the level of protection, intercepting the most common types of attack on the site..
Security of your site is not an option, and protect it is an activity that will save you a considerable amount of problems.
(Versione Italiana: vedi articoli)
This extension is also published on http://extensions.joomla.org , if you like, it vote it or write a review, thank you.
SQL Injection and Local file Inclusion Protection
This plugin adds a simple but, in most cases, fondamental protection against SQL injection and LFI (local files inclusion) attacks by checking data sent to Joomla and intercept a lot of common exploits, saving your site from hackers.
- Filters requests in POST, GET, REQUEST. and blocks SQL injection / LFI attempts
- Notifies you by e-mail when a alert is generated
- Protect also from unKnown 3rd Party extensions vulnerability.
- White list for safe components (at your risk ;) )
Enable mail report and prepare yourself to be scared!
Anyway remember that security it is a 'forma mentis', not a plugin!
Standard Set up
- Works on Front End only:
ignore request (auto disable plugin) when sent to /administrator
- NameSpaces inspected
- Get, Post
- Get, Post, Request
- Ignored Extension
comma separed list of ignored components (es: com_content, com_dumper , com_weblinks)
Select which superglobal arrays to inspec.
Important,pay attention, please!
PHP parses requests and populates the superglobal arrays by copying values into each array. So $_GET['varName'] and $_REQUEST['varName'] are not reference to the same object!
Changing $_GET to sanitize the query string is not enough if the program reads $_REQUEST.
- Send Email Alert on injection/inclusion
if 'Yes' send a mail alert on attack/malformed url
- Mail to notify attack
mail to which send alert, if blank is set to 'mailfrom'
Advanced Set up
- Raise Error on Fault
if 'YES' stops Joomla! and return an error (usefull for debug pourpose), if 'No' cleans up the request and passes it to Joomla!
- Http Error Code
HTTP error code to return (40x, 50x)
- Http Error Message
a message for error page
Local File Inclusion parameters
- LFI check only on canonical
if 'Yes' checks LFI only on model, view, controller, template parameters
- Max number of consecutive '../'
how many consecutive '../' can be present in the url
(from version 1.1)
- Enable temporary IP block
Enable/Disable IP Banning
- Seconds to hold ip banned
How many seconds hold ip block enabled
- Max hacks attempt
Max hacks attempt before ip block starts
Caution: Make sure the 'Debug ' Joomla! be disabled before you enable the IP blocking.
- make sure theJoomla! 'Debug' is disabled
- enable IP blocking
- reactivate the 'Debug' (if you need it, of course)
The 'Debug' Joomla! catches database errors and prevents the plugin to create the table for storing ips.
Recovery of improper installation
This plugin is working on many hundred sites, but it was not tested with all the most common extensions. Please, check that most important functions of your website are running correctly.
Tested (almost) with:
It's never happened , but better cautious than sorry: if something goes wrong you can easily restore the site by following the instructions below.
Blank page after install
Typically you tried to install on PHP4
Use phpmyadmin (or whatelse sql editor you use), select the #__plugins (#__ is usually jos_) table.
Select the record with name equal to "System - Marco's SQL Injection - LFI Interceptor": I suppose it's the last one. Edit this record and set the "published" field to "0". now plugin is disabled.
Joomla 1.6!, Joomla 1.7!, Joomla 2.5!
Use phpmyadmin (or whatelse sql editor you use), select the #__extensions (#__ is usually jos_) table.
Select the record with name equal to "System - Marco's SQL Injection - LFI Interceptor": I suppose it's the last one. Edit this record and set the "enabled" field to "0". now plugin is disabled.
JDatabaseMySQL::query: 1146 - Table 'xxx.yyy_mi_iptable' doesn't exist
Debug was enabled when you activated IP-Blocking;
access, via ftp, configuration.php and set
var $debug = '0';
reload the page.
Version 1.2 (Mar 26th, 2013)
- Joomla! 3.0 coding style
- try - catch table checking
- InnoDB table support
Version 1.1.1 (Mar 23rd, 2013)
- Joomla! 3.0 compatibility
- it works fine, nothing else to do ;)
Version 1.1 (Mar 10th, 2011)
- added auto banning ip (ip blocking)
- RegEx improvements to intercept more SQL attacks
Version 1.0 (Jan 5th, 2011)
- Joomla! v1.6 compatibility
- send mail also when error is raised
- minor code optimization
- no bug fix, so you do not need to upgrade
Version .98a (Jun 1st, 2010) Thanks to Jeff
- fixed backtics matching
- fixed union all matching
- fixed ....// exploit
- added more info to report mail
Please, keep in mind, I repeat: this plugin intercepts a lot of common exploits, not ALL!! this should be intended as an help, this is not "THE SOLUTION".
(works also on Joomla! 1.6 & Joomla! 1.7, Doesn't work on Joomla! 3.0)