CMS Made Simple Forums

DAHEATH wrote: ...
21,000 sites with cms version 1.2.2 .  Everyone needs to patch asap.
...

giggler wrote: Wow, you're right that is easy to get that info. I'm surprised so many site don't remove the version info. Is it actually that easy to convert the password to plain text though?

blast2007 wrote: Preface:
This guide is a brief summary of all security hints found digging in CMSMS forum, wiki and other website. This guide won’t be exaustive, is open to wide contributions, and could be subject to errors, please add your feedback.


System Settings: (unix like)

1. Keep your system always update (use cron to notify new system update via mail).

2. Run your apache system in chrooted-jail mode.

3. Use strong password for root, and never login as root, use sudo.

4. Login remotely to server only via secure tunnel (SSH).

5. Protect your server with a firewall/DMZ and monitor all access with SNORT.

6. Install only needed software and remove all unneeded services/software/daemon.

7. Expose only needed ports (80, 443), not others.

8. If you want to install a db manager tools like phpmyadmin, rename default program directory with a fake name (eg. "/pma39xRlklkLK3d") and protect directory with .htaccess and .htpassword (find more on apache website and other nice site.

9. Check often apache logfile (access.log and error.log) and system log files.

Start 2008/02/21 addition
10. Backup is your last chance. So backup, backup and then backup again. (GOTO 10.)
Make a full backup of your system. You can use a tools that build a bootable image of your HDD (or a copy of your virtual server image file).
Backup often your mysql dump and your CMSMS files (/images, /uploads and other specific).
Use a rotate schema for backup

Note for paranoid users: create mutiple backup copy and keep the medium in separate places far away from each other.
End 2008/02/21 addition

PHP settings:

1. Use this minimal security settings in your php.ini

Code: Select all

disable_functions = exec, show_source, shell_exec, system, popen, proc_open, proc_nice, ini_restore, passthru,dl
expose_php = Off
display_errors = Off
display_startup_errors = Off
log_errors = On
register_globals = Off
allow_url_fopen = Off
allow_url_include = Off

Note: The first row should be commented out only during some particular module operations that require to use those functions.
Start 2008/02/21 addition
2. If you haven't special needs while running PHP, you can uninstall all unnecessary/additional PHP modules (e.g. CLI). Some functions (like GD) will stop to run, so make some tests before removing all.

3. Remove unused extension directive in php.ini

4. Check php.ini file permission and file owner for your specific system.
End 2008/02/21 addition

Apache Settings:

Create if not exist a file in your root CMSMS installation named .htaccess with this section:

Code: Select all

RewriteEngine On

#option to remove directory listings in all folder (avoid publishing unwanted contents)
Options -Indexes

# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Start 2008/04/18 addition

Code: Select all

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

End 2008/04/18 addition

Code: Select all

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

#IF the URI contains UNION
RewriteCond %{QUERY_STRING} UNION [OR]

#OR if the URI contains a *
RewriteCond %{QUERY_STRING} \*

#then deny the request (403)
RewriteRule ^.*$ - [F,L]

# End URL Filtering 

Start 2008/02/21 addition

Code: Select all

# No sense advertising what we are running
ServerSignature Off

# HTTP response header forced to be "Server: Apache" only
# Sometimes this istruction must be saved inside httpd.conf/apache.conf/sites-enabled instead of .htaccess
ServerTokens Prod

End 2008/02/21 addition

Start 2008/03/19 addition
Prevent indexing of particular files by search engines, adding some lines to /robots.txt,

Code: Select all

Disallow: /index.php?mact
Disallow: /*moduleinterface.php?mact

End 2008/03/19 addition

CMSMS Settings:


1. Use a strong password for admin login

2. Never use "admin" or "administrator" as CMSMS admin username. Use a different nickname. Pay attention if you post some news article with admin account, the name is exposed.

3. Rename admin directory with a fake name (e.g. "admin39xRlklkLK3d"). Don’t use a name easy to guess. Remember to change also /config.php with your new name $config['admin_dir'] ="admin39xRlklkLK3d"

4. Protect admin directory with a password.
Many host provider offers a way to do this in their webpage. If you are enabled by your host provider modify apache SSL config
using this setting:

Code: Select all

        <Directory /var/www/ admin39xRlklkLK3d>
                AuthName "Protected Area"
                AuthType Basic
                AuthUserFile /var/www/ admin39xRlklkLK3d /.htpasswd
                require valid-user
        </Directory>

here /admin39xRlklkLK3d /.htpassword

Code: Select all

youruser:yourencryptedpassword

5. Force logging in your CMSMS system using SSL
To achieve this use this settings:
in your admin directory create this file

/admin39xRlklkLK3d /.htaccess

Code: Select all

# force all access to /admin to SSL protected page
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

6. Check permission of config.php file.
While installing or upgrade should be 777. As soon as these tasks end, lower file permission to 444 or if it works to 440. If you haven’t SSH access to your server use your FTP or Filemanager via Control Panel (e.g. Plesk)

7. Check permission of /tmp directory.
Try to lower permissions of this directory and related subdir. You can try step by step from 775  to  755 to 750.

8. Check permission of /uploads directory.
Same as above. Check if your website works fine uploading some images and trying to display in your browser http://www.example-site.com/uploads/images/images.jpg
In Global Settings of CMSMS use 002 as umask for creating thumbnail.

9. Don’t expose your CMSMS release number in your site expeciallyin homepage!!!
If you forget to upgrade your system to latest release all the world will know (thanks google

10. Protect your /lib directory
create an /lib/.htaccess file with this code

Code: Select all

order deny,allow
deny from all
allow from 192.168.0.0/24 #your admin network
# allow files .js in /lib avoiding errors related to js calling e.g. tag {startExpandCollapse}
<Files ~ ".*\.js$">
 Order deny,allow
  Allow from all
</Files>

Good luck
Waiting for you reply
Best Regards
blast

blast2007 wrote: I've published this guide in CMSMS wiki howto, and I will keep it update in future.