Securing CMS Made Simple Against Recent Vulnerabilities Topic is solved

General project discussion. NOT for help questions.
Post Reply
Jaredfeather
New Member
New Member
Posts: 2
Joined: Thu Jun 20, 2024 8:52 am

Securing CMS Made Simple Against Recent Vulnerabilities

Post by Jaredfeather »

Hi Everyone

With recent increases in cybersecurity threats, I'm looking to bolster the security of our CMS Made Simple site. Does anyone have recommendations for security best practices or essential plugins that help protect against vulnerabilities? How do you manage user permissions effectively?

Thanks for any help!
User avatar
creopard
Forum Members
Forum Members
Posts: 85
Joined: Fri Nov 10, 2017 10:25 am
Location: .de
Contact:

Re: Securing CMS Made Simple Against Recent Vulnerabilities

Post by creopard »

A good starting point is securing the webserver first:
https://github.com/h5bp/server-configs- ... /.htaccess
pierrepercee
Forum Members
Forum Members
Posts: 158
Joined: Thu Jan 10, 2013 8:02 am

Re: Securing CMS Made Simple Against Recent Vulnerabilities

Post by pierrepercee »

Hello,

Creopard is right. Low level server protection does very good job.
You can additionaly change the name of the administration directory and protect it with authentication with .htacces easily.

I found this code that allows a bit of filtering on URLs and that works well. You have to integrate it into your htaccess at the root.

Code: Select all

# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]
RewriteCond %{QUERY_STRING} https\: [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

#IF the URI contains UNION
RewriteCond %{QUERY_STRING} UNION [OR]

#OR if the URI contains a *
RewriteCond %{QUERY_STRING} \*

#then deny the request (403)
RewriteRule ^.*$ - [F,L]

# End URL Filtering
I'm not an expert but lowering the permissions (chmod) of folders/files on the entire installation to the bare minimum would probably be a good idea too.
If anyone very knowledgeable about access rights for a CMSMS installation comes by...
User avatar
creopard
Forum Members
Forum Members
Posts: 85
Joined: Fri Nov 10, 2017 10:25 am
Location: .de
Contact:

Re: Securing CMS Made Simple Against Recent Vulnerabilities

Post by creopard »

found some more CMSMS-specific .htaccess declarations (see your directory "/doc/htaccess.txt" for more examples):

Code: Select all

# exclude some CMSMS modules
# RedirectMatch 403 ^.*/modules/.*\.php$
RedirectMatch 403 ^.*/modules/(?!TinyMCE/responsive_filemanager/filemanager/).*\.php$
RedirectMatch 403 ^.*/uploads/.*\.php$
Jaredfeather
New Member
New Member
Posts: 2
Joined: Thu Jun 20, 2024 8:52 am

Re: Securing CMS Made Simple Against Recent Vulnerabilities

Post by Jaredfeather »

Hello,

Creopard is right. Low level server protection does very good job.
You can additionaly change the name of the administration directory and protect it with authentication with .htacces easilyconcretesrichmondva.com

I found this code that allows a bit of filtering on URLs and that works well. You have to integrate it into your htaccess at the root.

Code: Select all

# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]
RewriteCond %{QUERY_STRING} https\: [OR]
found some more CMSMS-specific .htaccess declarations (see your directory "/doc/htaccess.txt" for more examples):

Code: Select all

# exclude some CMSMS modules
# RedirectMatch 403 ^.*/modules/.*\.php$
RedirectMatch 403 ^.*/modules/(?!TinyMCE/responsive_filemanager/filemanager/).*\.php$
RedirectMatch 403 ^.*/uploads/.*\.php$
Thanks for the detailed suggestions! Securing the server and customizing the .htaccess file makes a lot of sense. I’ll start by implementing the URL filtering and reviewing the CMSMS-specific .htaccess declarations you shared. Also, lowering permissions for critical files and directories seems like a practical step. I appreciate the guidance and will look into these solutions further. Thanks again for the help!
Post Reply

Return to “General Discussion”