A small guide to CMSMS system security

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Locked
User avatar
blast2007
Power Poster
Power Poster
Posts: 508
Joined: Wed Aug 01, 2007 5:36 pm

A small guide to CMSMS system security

Post by blast2007 »

Preface:
This guide is a brief summary of all security hints found digging in CMSMS forum, wiki and other website. This guide won’t be exaustive, is open to wide contributions, and could be subject to errors, please add your feedback.


System Settings: (unix like)

1. Keep your system always update (use cron to notify new system update via mail).

2. Run your apache system in chrooted-jail mode.

3. Use strong password for root, and never login as root, use sudo.

4. Login remotely to server only via secure tunnel (SSH).

5. Protect your server with a firewall/DMZ and monitor all access with SNORT.

6. Install only needed software and remove all unneeded services/software/daemon.

7. Expose only needed ports (80, 443), not others.

8. If you want to install a db manager tools like phpmyadmin, rename default program directory with a fake name (eg. "/pma39xRlklkLK3d") and protect directory with .htaccess and .htpassword (find more on apache website and other nice site.

9. Check often apache logfile (access.log and error.log) and system log files.

Start 2008/02/21 addition
10. Backup is your last chance. So backup, backup and then backup again. (GOTO 10.) ;)
Make a full backup of your system. You can use a tools that build a bootable image of your HDD (or a copy of your virtual server image file).
Backup often your mysql dump and your CMSMS files (/images, /uploads and other specific).
Use a rotate schema for backup

Note for paranoid users: create mutiple backup copy and keep the medium in separate places far away from each other.
End 2008/02/21 addition

PHP settings:

1. Use this minimal security settings in your php.ini

Code: Select all

disable_functions = exec, show_source, shell_exec, system, popen, proc_open, proc_nice, ini_restore, passthru,dl
expose_php = Off
display_errors = Off
display_startup_errors = Off
log_errors = On
register_globals = Off
allow_url_fopen = Off
allow_url_include = Off
Note: The first row should be commented out only during some particular module operations that require to use those functions.
Start 2008/02/21 addition
2. If you haven't special needs while running PHP, you can uninstall all unnecessary/additional PHP modules (e.g. CLI). Some functions (like GD) will stop to run, so make some tests before removing all.

3. Remove unused extension directive in php.ini

4. Check php.ini file permission and file owner for your specific system.
End 2008/02/21 addition

Apache Settings:

Create if not exist a file in your root CMSMS installation named .htaccess with this section:

Code: Select all

RewriteEngine On

#option to remove directory listings in all folder (avoid publishing unwanted contents)
Options -Indexes

# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Start 2008/04/18 addition

Code: Select all

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
End 2008/04/18 addition

Code: Select all

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

#IF the URI contains UNION
RewriteCond %{QUERY_STRING} UNION [OR]

#OR if the URI contains a *
RewriteCond %{QUERY_STRING} \*

#then deny the request (403)
RewriteRule ^.*$ - [F,L]

# End URL Filtering
Start 2008/02/21 addition

Code: Select all

# No sense advertising what we are running
ServerSignature Off

# HTTP response header forced to be "Server: Apache" only
# Sometimes this istruction must be saved inside httpd.conf/apache.conf/sites-enabled instead of .htaccess
ServerTokens Prod
End 2008/02/21 addition

Start 2008/03/19 addition
Prevent indexing of particular files by search engines, adding some lines to /robots.txt,

Code: Select all

Disallow: /index.php?mact
Disallow: /*moduleinterface.php?mact
End 2008/03/19 addition

CMSMS Settings:


1. Use a strong password for admin login

2. Never use "admin" or "administrator" as CMSMS admin username. Use a different nickname. Pay attention if you post some news article with admin account, the name is exposed.

3. Rename admin directory with a fake name (e.g. "admin39xRlklkLK3d"). Don’t use a name easy to guess. Remember to change also /config.php with your new name $config['admin_dir'] ="admin39xRlklkLK3d"

4. Protect admin directory with a password.
Many host provider offers a way to do this in their webpage. If you are enabled by your host provider modify apache SSL config
using this setting:

Code: Select all

        <Directory /var/www/ admin39xRlklkLK3d>
                AuthName "Protected Area"
                AuthType Basic
                AuthUserFile /var/www/ admin39xRlklkLK3d /.htpasswd
                require valid-user
        </Directory>
here /admin39xRlklkLK3d /.htpassword

Code: Select all

youruser:yourencryptedpassword

5. Force logging in your CMSMS system using SSL
To achieve this use this settings:
in your admin directory create this file

/admin39xRlklkLK3d /.htaccess

Code: Select all

# force all access to /admin to SSL protected page
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

6. Check permission of config.php file.
While installing or upgrade should be 777. As soon as these tasks end, lower file permission to 444 or if it works to 440. If you haven’t SSH access to your server use your FTP or Filemanager via Control Panel (e.g. Plesk)

7. Check permission of /tmp directory.
Try to lower permissions of this directory and related subdir. You can try step by step from 775  to  755 to 750.

8. Check permission of /uploads directory.
Same as above. Check if your website works fine uploading some images and trying to display in your browser http://www.example-site.com/uploads/images/images.jpg
In Global Settings of CMSMS use 002 as umask for creating thumbnail.

9. Don’t expose your CMSMS release number in your site expeciallyin homepage!!!
If you forget to upgrade your system to latest release all the world will know (thanks google :)

10. Protect your /lib directory
create an /lib/.htaccess file with this code

Code: Select all

order deny,allow
deny from all
allow from 192.168.0.0/24 #your admin network
# allow files .js in /lib avoiding errors related to js calling e.g. tag {startExpandCollapse}
<Files ~ ".*\.js$">
 Order deny,allow
  Allow from all
</Files>

Good luck
Waiting for you reply
Best Regards
blast
Last edited by blast2007 on Fri Apr 18, 2008 9:51 am, edited 1 time in total.
Top
Ted
Power Poster
Power Poster
Posts: 3329
Joined: Fri Jun 11, 2004 6:58 pm

Re: A small guide to CMSMS system security

Post by Ted »

Fantastic!  I'm stickying this.  I'm sure some of those things will need some explanations, but it's a wonderful overview.
Top
giggler
Forum Members
Forum Members
Posts: 197
Joined: Tue Oct 09, 2007 7:08 am

Re: A small guide to CMSMS system security

Post by giggler »

and then there's this:

http://forum.cmsmadesimple.org/index.ph ... 84.15.html
Top
nivekiam

Re: A small guide to CMSMS system security

Post by nivekiam »

The deny access to config.php option is in the wiki with a bit more explanation in the comments, below is that option.

Code: Select all

# Deny access to config.php
# This can be useful if php ever breaks or dies
# Use with caution, this may break other functions of CMSms that use a config.php
# file.  This may also break other programs you have running under your CMSms
# install that use config.php.  You may need to add another .htaccess file to those
# directories to specifically allow config.php.
<Files "config.php">
order allow,deny
deny from all
</Files>
Top
Pierre M.

Re: A small guide to CMSMS system security

Post by Pierre M. »

Well done, thank you !
If you are not yet in you might consider joining the documentation team :-)

Pierre M.
Top
User avatar
blast2007
Power Poster
Power Poster
Posts: 508
Joined: Wed Aug 01, 2007 5:36 pm

Re: A small guide to CMSMS system security

Post by blast2007 »

I've published this guide in CMSMS wiki howto, and I will keep it update in future.

Many thanks to all contributors.
Best regards.
blast
Top
Babysittah

Re: A small guide to CMSMS system security

Post by Babysittah »

Thats real nice yo. This review might be of great help dude! :D
Top
DAHEATH
New Member
New Member
Posts: 4
Joined: Sun Feb 24, 2008 1:07 am

Re: A small guide to CMSMS system security

Post by DAHEATH »

Good advice!

Especially since the 1.2.2 SQL injection exploit is now in the wild and actually being used by criminals.  They hit my wifes little page on Feb 17th and deleted the original data and inserted a link to a banner ad server.  My Apache2 log shows several attempts over the past week on both sites I admin.  If you have an unpatched site and and you see this:

/modules/TinyMCE/content_css.php?templateid=-1/**/UNION/**/SELECT/**/username,1,password/**/FROM/**/cms_users/*

in your Apache2 access.log they have all your user names and the hashed passwords.  If the password is weak (like my wifes) criminals will be able to determine the plaintext password in minutes.  I've tried the hack myself.  It works.  Google shows over 21,000 sites with cms version 1.2.2 .  Everyone needs to patch asap.

Dale
Top
giggler
Forum Members
Forum Members
Posts: 197
Joined: Tue Oct 09, 2007 7:08 am

Re: A small guide to CMSMS system security

Post by giggler »

Wow, you're right that is easy to get that info. I'm surprised so many site don't remove the version info. Is it actually that easy to convert the password to plain text though?
Top
User avatar
blast2007
Power Poster
Power Poster
Posts: 508
Joined: Wed Aug 01, 2007 5:36 pm

Re: A small guide to CMSMS system security

Post by blast2007 »

DAHEATH wrote: ...
21,000 sites with cms version 1.2.2 .  Everyone needs to patch asap.
...
This is very sad, because huge number of hackable and hacked sites reflects a bad imagine of CMSMS to new and future users, despite the quick release of a patch.

Last night I had an idea for solving this problem.

Why don't warn administrator (and also all backend users) to update their CMSMS system to latest version with a popup while logging to backend system?

It could be a big red blinking popup that remains opens all the time while logged in backend.

With same patch could be possible to remove message that expose release version in footer of default template.

Let's ask Ted what he thinks about this crazy idea!

Regards
blast
Last edited by blast2007 on Mon Feb 25, 2008 8:36 am, edited 1 time in total.
Top
DAHEATH
New Member
New Member
Posts: 4
Joined: Sun Feb 24, 2008 1:07 am

Re: A small guide to CMSMS system security

Post by DAHEATH »

giggler wrote: Wow, you're right that is easy to get that info. I'm surprised so many site don't remove the version info. Is it actually that easy to convert the password to plain text though?
Yes it is.  Check out these tools.

http://www.oxid.it/cain.html

http://www.antsight.com/zsl/rainbowcrack/

This is why strong passwords are important.  By strong I mean:

1. Not a dictionary word
2. Upper an lower case
3. Numbers
4. Punctuation
5. Longer the better
Top
giggler
Forum Members
Forum Members
Posts: 197
Joined: Tue Oct 09, 2007 7:08 am

Re: A small guide to CMSMS system security

Post by giggler »

I think at least some kind of warning to admin users will be good especially for security related updates like this... If you do not come back to the site all the time, there is no other way of knowing for these 1.2.2 users...
Top
dwinters
Forum Members
Forum Members
Posts: 53
Joined: Mon Mar 17, 2008 12:46 pm

Re: A small guide to CMSMS system security

Post by dwinters »

Found this but I run on windows 2003 server iis6 - any advice (apart from move to linux!)

blast2007 wrote: Preface:
This guide is a brief summary of all security hints found digging in CMSMS forum, wiki and other website. This guide won’t be exaustive, is open to wide contributions, and could be subject to errors, please add your feedback.


System Settings: (unix like)

1. Keep your system always update (use cron to notify new system update via mail).

2. Run your apache system in chrooted-jail mode.

3. Use strong password for root, and never login as root, use sudo.

4. Login remotely to server only via secure tunnel (SSH).

5. Protect your server with a firewall/DMZ and monitor all access with SNORT.

6. Install only needed software and remove all unneeded services/software/daemon.

7. Expose only needed ports (80, 443), not others.

8. If you want to install a db manager tools like phpmyadmin, rename default program directory with a fake name (eg. "/pma39xRlklkLK3d") and protect directory with .htaccess and .htpassword (find more on apache website and other nice site.

9. Check often apache logfile (access.log and error.log) and system log files.

Start 2008/02/21 addition
10. Backup is your last chance. So backup, backup and then backup again. (GOTO 10.) ;)
Make a full backup of your system. You can use a tools that build a bootable image of your HDD (or a copy of your virtual server image file).
Backup often your mysql dump and your CMSMS files (/images, /uploads and other specific).
Use a rotate schema for backup

Note for paranoid users: create mutiple backup copy and keep the medium in separate places far away from each other.
End 2008/02/21 addition

PHP settings:

1. Use this minimal security settings in your php.ini

Code: Select all

disable_functions = exec, show_source, shell_exec, system, popen, proc_open, proc_nice, ini_restore, passthru,dl
expose_php = Off
display_errors = Off
display_startup_errors = Off
log_errors = On
register_globals = Off
allow_url_fopen = Off
allow_url_include = Off
Note: The first row should be commented out only during some particular module operations that require to use those functions.
Start 2008/02/21 addition
2. If you haven't special needs while running PHP, you can uninstall all unnecessary/additional PHP modules (e.g. CLI). Some functions (like GD) will stop to run, so make some tests before removing all.

3. Remove unused extension directive in php.ini

4. Check php.ini file permission and file owner for your specific system.
End 2008/02/21 addition

Apache Settings:

Create if not exist a file in your root CMSMS installation named .htaccess with this section:

Code: Select all

RewriteEngine On

#option to remove directory listings in all folder (avoid publishing unwanted contents)
Options -Indexes

# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Start 2008/04/18 addition

Code: Select all

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
End 2008/04/18 addition

Code: Select all

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

#IF the URI contains UNION
RewriteCond %{QUERY_STRING} UNION [OR]

#OR if the URI contains a *
RewriteCond %{QUERY_STRING} \*

#then deny the request (403)
RewriteRule ^.*$ - [F,L]

# End URL Filtering
Start 2008/02/21 addition

Code: Select all

# No sense advertising what we are running
ServerSignature Off

# HTTP response header forced to be "Server: Apache" only
# Sometimes this istruction must be saved inside httpd.conf/apache.conf/sites-enabled instead of .htaccess
ServerTokens Prod
End 2008/02/21 addition

Start 2008/03/19 addition
Prevent indexing of particular files by search engines, adding some lines to /robots.txt,

Code: Select all

Disallow: /index.php?mact
Disallow: /*moduleinterface.php?mact
End 2008/03/19 addition

CMSMS Settings:


1. Use a strong password for admin login

2. Never use "admin" or "administrator" as CMSMS admin username. Use a different nickname. Pay attention if you post some news article with admin account, the name is exposed.

3. Rename admin directory with a fake name (e.g. "admin39xRlklkLK3d"). Don’t use a name easy to guess. Remember to change also /config.php with your new name $config['admin_dir'] ="admin39xRlklkLK3d"

4. Protect admin directory with a password.
Many host provider offers a way to do this in their webpage. If you are enabled by your host provider modify apache SSL config
using this setting:

Code: Select all

        <Directory /var/www/ admin39xRlklkLK3d>
                AuthName "Protected Area"
                AuthType Basic
                AuthUserFile /var/www/ admin39xRlklkLK3d /.htpasswd
                require valid-user
        </Directory>
here /admin39xRlklkLK3d /.htpassword

Code: Select all

youruser:yourencryptedpassword

5. Force logging in your CMSMS system using SSL
To achieve this use this settings:
in your admin directory create this file

/admin39xRlklkLK3d /.htaccess

Code: Select all

# force all access to /admin to SSL protected page
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

6. Check permission of config.php file.
While installing or upgrade should be 777. As soon as these tasks end, lower file permission to 444 or if it works to 440. If you haven’t SSH access to your server use your FTP or Filemanager via Control Panel (e.g. Plesk)

7. Check permission of /tmp directory.
Try to lower permissions of this directory and related subdir. You can try step by step from 775  to  755 to 750.

8. Check permission of /uploads directory.
Same as above. Check if your website works fine uploading some images and trying to display in your browser http://www.example-site.com/uploads/images/images.jpg
In Global Settings of CMSMS use 002 as umask for creating thumbnail.

9. Don’t expose your CMSMS release number in your site expeciallyin homepage!!!
If you forget to upgrade your system to latest release all the world will know (thanks google :)

10. Protect your /lib directory
create an /lib/.htaccess file with this code

Code: Select all

order deny,allow
deny from all
allow from 192.168.0.0/24 #your admin network
# allow files .js in /lib avoiding errors related to js calling e.g. tag {startExpandCollapse}
<Files ~ ".*\.js$">
 Order deny,allow
  Allow from all
</Files>

Good luck
Waiting for you reply
Best Regards
blast
Top
Pierre M.

Re: A small guide to CMSMS system security

Post by Pierre M. »

blast2007 wrote: I've published this guide in CMSMS wiki howto, and I will keep it update in future.
Please everybody contribute in the wiki not in this thread which I lock.
Pierre
Top
Locked

Return to “CMSMS Core”