(Versione Italiana: vedi articoli)

This extension is also published on http://extensions.joomla.org , if you like, it vote it or write a review, thank you.

sql injecton, local file inclusion protection

SQL Injection and Local file Inclusion Protection

This plugin adds a simple but, in most cases, fondamental protection against SQL injection and LFI (local files inclusion) attacks by checking data sent to Joomla and intercept a lot of common exploits, saving your site from hackers.

  • Filters requests in POST, GET, REQUEST. and blocks SQL injection / LFI  attempts
  • Notifies you by e-mail when a alert is generated
  • Protect also from unKnown 3rd Party extensions vulnerability.
  • White list for safe components (at your risk ;) )

Enable mail report and prepare yourself to be scared!


Anyway remember that security it is a 'forma mentis', not a plugin!

Standard Set up

  • Works on Front End only:
    ignore request (auto disable plugin) when sent to /administrator
  • NameSpaces inspected
    options are:
    • Get
    • Get, Post
    • Request
    • Get, Post, Request

  • Select which superglobal arrays to inspec.
  • Ignored Extension
    comma separed list of ignored components (es: com_content, com_dumper , com_weblinks)

Important,pay attention, please!
PHP parses requests and populates the superglobal arrays by copying values into each array. So $_GET['varName'] and $_REQUEST['varName'] are not reference to the same object!
Changing $_GET to sanitize the query string is not enough  if the program reads $_REQUEST.

Notification

  • Send Email Alert on injection/inclusion
    if 'Yes' send a mail alert on attack/malformed url
  • Mail to notify attack
    mail to which send alert, if blank is set to 'mailfrom'

Advanced Set up

  • Raise Error on Fault
    if 'YES' stops Joomla! and return an error (usefull for debug pourpose), if 'No' cleans up the request and passes it to Joomla!
  • Http Error Code
    HTTP error code to return (40x, 50x)
  • Http Error Message
    a message for error page

Local File Inclusion parameters

  • LFI check only on canonical
    if 'Yes' checks LFI only on model, view, controller, template parameters
  • Max number of consecutive '../'
    how many consecutive '../' can be present in the url

IP Blocking

(from version 1.1)

  • Enable temporary IP block
    Enable/Disable IP Banning
  • Seconds to hold ip banned
    How many seconds hold ip block enabled
  • Max hacks attempt
    Max hacks attempt before ip block starts

Caution: Make sure the 'Debug ' Joomla! be disabled before you enable the IP blocking.

  1. make sure theJoomla! 'Debug' is disabled
  2. enable IP blocking
  3. reactivate the 'Debug' (if you need it, of course)

The 'Debug' Joomla! catches database errors and prevents the plugin to create the table for storing ips.

 

Recovery of improper installation

This plugin is working on many hundred sites, but it was not tested with all the most common extensions. Please, check that most important functions of your website are running correctly.

Tested (almost) with:

.ckForms
.virtuemart
.joomfish
.PhocaDownload
.PhocaGallery
.RokDownloads
.AcyMailing
.ccnews
.AlphaRegistration
.
Chrono Contact
.SOBI2

and others.

It's never happened , but better cautious than sorry: if something goes wrong you can easily restore the site by following the instructions below.

Blank page after install

Typically you tried to install  on PHP4

Joomla 1.5!
Use phpmyadmin (or whatelse sql editor you use), select the #__plugins (#__ is usually jos_) table.
Select the record with name equal to "System - Marco's SQL Injection - LFI Interceptor": I suppose it's the last one. Edit this record and set the "published" field to "0". now plugin is disabled.

Joomla 1.6!, Joomla 1.7!
Use phpmyadmin (or whatelse sql editor you use), select the #__extensions (#__ is usually jos_) table.
Select the record with name equal to "System - Marco's SQL Injection - LFI Interceptor": I suppose it's the last one. Edit this record and set the "enabled" field to "0". now plugin is disabled.

JDatabaseMySQL::query: 1146 - Table 'xxx.yyy_mi_iptable' doesn't exist

Debug was enabled when you activated IP-Blocking;

Disable plugin
see above

Disable Debug
access, via ftp, configuration.php and set
var $debug = '0';
reload the page.


HISTORY

Version 1.1 (Mar 10th, 2011)

  • added auto banning ip (ip blocking)
  • RegEx improvements to intercept more SQL attacks

Version 1.0 (Jan 5th, 2011)

  • Joomla! v1.6 compatibility
  • send mail also when error is raised
  • minor code optimization
  • no bug fix, so you do not need to upgrade

Version .98a (Jun 1st, 2010) Thanks to Jeff

  • fixed backtics matching
  • fixed union all matching
  • fixed ....// exploit
  • added more info to report mail

 

Download Marco's SQL Injection - LFI Interceptor Plugin for Joomla!

Please, keep in mind, I repeat: this plugin intercepts a lot of common exploits, not ALL!! this should be intended as an help, this is not "THE SOLUTION".

Joomla! 1.5

Joomla! 1.6 & Joomla! 1.7

Previous versions

 

Commenti   

 
0 #68 Guest 2012-05-16 09:22
How can I check that this plugin is working because it has been installed for 10 weeks now and I have not received one email yet?
Citazione
 
 
0 #67 Guest 2012-05-11 04:09
1) what's this mean?
2) if they are attacking a component i don't then i shouldn't worry about the hack attempt?

** Local File Inclusion [GET:controller ] => proc/self/envir on\000
** Local File Inclusion [REQUEST:contro ller] => proc/self/envir on\000

**PAGE / SERVER INFO

*REMOTE_ADDR :
188.190.98.26

*HTTP_USER_AGENT :
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

*REQUEST_METHOD :
GET

*QUERY_STRING :
option=com_linkr&controller=proc/self/environ%0000

** SUPERGLOBALS DUMP (sanitized)

*$_GET DUMP
-[option] => com_linkr
-[controller] => proc/self/envir on\000
-[tp] =>

*$_POST DUMP

*$_COOKIE DUMP

*$_REQUEST DUMP
-[option] => com_linkr
-[controller] => proc/self/envir on\000
-[tp] =>
Citazione
 
 
0 #66 Guest 2012-05-09 03:57
I'm new and I have no experience in reading code, is there a way to decipher the post? ... and thank you very much for sharing your wisdom, as not all have enough resources to buy ... thanks :oops:
Citazione
 
 
0 #65 Guest 2012-05-02 05:06
i read all the comments and no one asked why the hackers are putting so many directory levels in the paths. there aren't even this many levels from root to web files. can someone tell me why this is, and if it's an effective hacking technique.

=== Answer
hi leo,
an hacker can know where is the environ shell by reading the fingerprint of the operative system, but he can't know how is depth the web root. so, many back directory levels mean, simply, go to root!

bye,
marco
Citazione
 
 
0 #64 Guest 2012-04-12 15:10
Hello Marco,

Thank you for your plugin, I had my first alert yesterday night and I'm glad it saved me from the hacking below !
Do you have any idea what the hacker tried to do ?

** Local File Inclusion [POST:path] => images/pst.php
** Local File Inclusion [REQUEST:path] => images/pst.php

**PAGE / SERVER INFO


*REMOTE_ADDR :
216.17.109.32

*HTTP_USER_AGENT :


*REQUEST_METHOD :
POST

*QUERY_STRING :


*HTTP_REFERER :
none



** SUPERGLOBALS DUMP (sanitized)


*$_GET DUMP


*$_POST DUMP
-[path] => images/pst.php
-[raw_data] =>


*$_COOKIE DUMP


*$_REQUEST DUMP
-[path] => images/pst.php
-[raw_data] =>
Citazione
 
 
0 #63 Guest 2012-04-09 09:35
Thank you for this extension!!!

I see that I can set to temporarily block and IP Address "Enable temporary IP block"

Q: Is there a way to permanently block and IP address?
Citazione
 
 
+4 #62 Guest 2012-04-08 14:00
Please would you advise whether this plugin is compatible with Joomla 2.5?
Citazione
 
 
0 #61 Guest 2012-04-05 14:29
Lately I have allot of hacking attempt like this.
I've set to 2 attempts and blocking for 7 days.
Would it be intresting to set "Raise Error on Fault" ? (what does it do?)
Citazione
 
 
+1 #60 Guest 2012-03-25 19:10
Hi Marco,
What about putting the ip blick to long term, such as 30 days (2592000), would that be a good idea?

====Amswer
Hi sven,
no, I don't think it's a good idea. A lot of ips are dynamic ones, not static.
so it's not a good thing to ban then for a long time.

bye,
marco
Citazione
 
 
0 #59 Guest 2012-03-20 10:15
Thanks a lot! It's great!!!
Citazione
 

Aggiungi commento


Codice di sicurezza
Aggiorna