Created
January 26, 2020 15:42
-
-
Save CB9TOIIIA/b59c1ea43b61a14f1e6e28204d9bd5d6 to your computer and use it in GitHub Desktop.
Joomla .htaccess block
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # @package Joomla | |
| # @copyright Copyright (C) 2005 - 2013 Open Source Matters. All rights reserved. | |
| # @license GNU General Public License version 2 or later; see LICENSE.txt | |
| ## | |
| ## | |
| # READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE! | |
| # | |
| # The line just below this section: 'Options +FollowSymLinks' may cause problems | |
| # with some server configurations. It is required for use of mod_rewrite, but may already | |
| # be set by your server administrator in a way that dissallows changing it in | |
| # your .htaccess file. If using it causes your server to error out, comment it out (add # to | |
| # beginning of line), reload your site in your browser and test your sef url's. If they work, | |
| # it has been set by your server administrator and you do not need it set here. | |
| ## | |
| ## Can be commented out if causes errors, see notes above. | |
| Options +FollowSymLinks | |
| ## Mod_rewrite in use. | |
| RewriteEngine On | |
| ## Begin - Rewrite rules to block out some common exploits. | |
| # If you experience problems on your site block out the operations listed below | |
| # This attempts to block the most common type of exploit `attempts` to Joomla! | |
| # | |
| # Block out any script trying to base64_encode data within the URL. | |
| RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR] | |
| # Block out any script that includes a <script> tag in URL. | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | |
| # Block out any script trying to set a PHP GLOBALS variable via URL. | |
| RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| # Block out any script trying to modify a _REQUEST variable via URL. | |
| RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) | |
| # Return 403 Forbidden header and show the content of the root homepage | |
| RewriteRule .* index.php [F] | |
| # | |
| ## End - Rewrite rules to block out some common exploits. | |
| ## Begin - Custom redirects | |
| # | |
| # If you need to redirect some pages, or set a canonical non-www to | |
| # www redirect (or vice versa), place that code here. Ensure those | |
| # redirects use the correct RewriteRule syntax and the [R=301,L] flags. | |
| # | |
| ## End - Custom redirects | |
| ## | |
| # Uncomment following line if your webserver's URL | |
| # is not directly related to physical file paths. | |
| # Update Your Joomla! Directory (just / for root). | |
| ## | |
| # RewriteBase / | |
| ## Begin - Joomla! core SEF Section. | |
| # | |
| RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | |
| # | |
| # If the requested path and file is not /index.php and the request | |
| # has not already been internally rewritten to the index.php script | |
| RewriteCond %{REQUEST_URI} !^/index\.php | |
| # and the request is for something within the component folder, | |
| # or for the site root, or for an extensionless URL, or the | |
| # requested URL ends with one of the listed extensions | |
| RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC] | |
| # and the requested path and file doesn't directly match a physical file | |
| RewriteCond %{REQUEST_FILENAME} !-f | |
| # and the requested path and file doesn't directly match a physical folder | |
| RewriteCond %{REQUEST_FILENAME} !-d | |
| # internally rewrite the request to the index.php script | |
| RewriteRule .* index.php [L] | |
| # | |
| ## End - Joomla! core SEF Section. | |
| <Filesmatch ".(php)$"> | |
| order deny,allow | |
| deny from all | |
| </Filesmatch> | |
| <Filesmatch "^index.php"> | |
| order allow,deny | |
| allow from all | |
| </Filesmatch> | |
| <Filesmatch "^index2.php"> | |
| order deny,allow | |
| allow from all | |
| </Filesmatch> | |
| # WAF Rules ----------------------------------------------------------------------------- | |
| RewriteEngine On | |
| # Block methods | |
| # s-0005 | |
| RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC] | |
| RewriteRule .* - [F,L] | |
| # Apache range security problem | |
| # s-0006 | |
| RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC] | |
| RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+ | |
| RewriteRule .* - [F] | |
| # RFI/LFI Protection | |
| # s-0007 | |
| RewriteCond %{QUERY_STRING} ![a-zA-Z0-9_]=http://%{HTTP_HOST}/ | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=ftp:// [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=gopher:// [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [OR] | |
| RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [OR] | |
| RewriteCond %{QUERY_STRING} \=\|w\| [NC] | |
| RewriteRule .* - [F,L] | |
| # Block system file and folder access | |
| # s-0008 | |
| RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] | |
| RewriteCond %{QUERY_STRING} \$_POST [NC,OR] | |
| RewriteCond %{QUERY_STRING} wp-config.php [NC,OR] | |
| RewriteCond %{QUERY_STRING} (javascript:).*(;).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC] | |
| RewriteRule .* - [F,L] | |
| RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] | |
| RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] | |
| #RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR] | |
| #RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR] | |
| RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] | |
| RewriteCond %{REQUEST_URI} server-status [NC] | |
| RewriteRule .* - [F,L] | |
| RewriteRule /DOCUMENT_ROOT - [F,L] | |
| RewriteRule /_mem_bin - [F,L] | |
| RewriteRule /msadc - [F,L] | |
| RewriteRule /_vti_bin - [F,L] | |
| RewriteRule /_vti_inf.html - [F,L] | |
| # Shellshock | |
| RewriteCond %{QUERY_STRING} (\s*)\s*{\s*:;\s*}; | |
| RewriteCond %{THE_REQUEST} (\s*)\s*{\s*:;\s*}; | |
| RewriteCond %{HTTP_REFERER} (\s*)\s*{\s*:;\s*}; | |
| RewriteCond %{HTTP_USER_AGENT} (\s*)\s*{\s*:;\s*}; | |
| RewriteRule .* - [F,L] | |
| # Block 3rd parties | |
| # s-0009 | |
| RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] | |
| RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] | |
| RewriteRule .* index.php [F,L] | |
| # TimThumb blocker | |
| # s-0010 | |
| RewriteCond %{HTTP_REFERER} ^.*%{HTTP_HOST}.* | |
| RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (uploadify/uploadify.php) [NC] | |
| RewriteRule .* - [F,L] | |
| # Block suspicious user agents | |
| # s-0011 | |
| #RewriteCond %{HTTP_USER_AGENT} (AESOP_com_SpiderMan|AhrefsBot|Alexibot|Anonymouse.org|asterias|attach|BackDoorBot|BackWeb|Bandit|Baiduspider|BatchFTP|Bigfoot|Black.Hole|BlackWidow|BlowFish|Bot mailto:craftbot@yahoo.com|BotALot|BTWebClient|Buddy|BuiltBotTough|Bullseye|BunnySlippers|Cegbfeieh|CheeseBot|CherryPicker|ChinaClaw|Collector|CommentReader|Copier|CopyRightCheck|cosmos|Crescent|Curl|Custo|DA|DISCo|discobot|DIIbot|DittoSpyder|Dolphin|Download|Download Demon|Download Devil|Download Wonder|Downloader|dragonfly|Drip|eCatch|EasyDL|ebingbong|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|Express WebPictures|Extractor|EyeNetIE|Ezooms|FileHound|FlashGet|Foobot|flunky|FrontPage|GetRight|GetSmart|GetWeb!|Go!Zilla|Go-Ahead-Got-It|gotit|Grabber|GrabNet|Grafula|Harvest|havij|hloader|HMView|httplib|HTTrack|humanlinks|ia_archiver|igdeSpyder|IlseBot|Image Stripper|Image Sucker|Indy Library|InfoNaviRobot|InfoTekies|Intelliseek|InterGET|Internet Ninja|Iria|Jakarta|JennyBot|JetCar|JOC|JustView|Jyxobot|Kenjin.Spider|Keyword.Density|larbin|LeechFTP|LexiBot|lftp|libWeb/clsHTTP|likse|LinkextractorPro|LinkScan/8.1a.Unix|LNSpiderguy|LinkWalker|lwp-trivial|LWP::Simple|Magnet|Mag-Net|MarkWatch|Mass Downloader|Mata.Hari|Media Center PC|Memo|MJ12bot|Microsoft.URL|Microsoft URL Control|MIDown tool|MIIxpc|Mirror|Missigua Locator|Mister PiX|moget|Mozilla/3.Mozilla/2.01|Mozilla.*NEWT|NAMEPROTECT|Navroad|NearSite|NetAnts|Netcraft|NetMechanic|NetSpider|Net Vampire|NetZIP|NextGenSearchBot|NG|NICErsPRO|NimbleCrawler|Ninja|NPbot|Octopus|Offline Explorer|Offline Navigator|Openfind|OutfoxBot|PageGrabber|Papa Foto|pavuk|pcBrowser|PHP version tracker|Pockey|ProPowerBot/2.14|ProWebWalker|psbot|Pump|QueryN.Metasearch|RealDownload|Reaper|Recorder|ReGet|RepoMonkey|RMA|Siphon|sitecheck.internetseer.com|SiteSnagger|Slurp|SlySearch|SmartDownload|Snake|Snapbot|Snoopy|sogou|SpaceBison|SpankBot|spanner|Sqworm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|suzuran|Szukacz/1.4|Tagoobot|tAkeOut|Teleport|Telesoft|TurnitinBot/1.5|The.Intraformant|TheNomad|TightTwatBot|Titan|toCrawl/UrlDispatcher|True_Robot|turingos|TurnitinBot|Twiceler|URLy.Warning|Vacuum|VCI|VoidEYE|Web Image Collector|Web Sucker|WebAuto|WebBandit|Webclipping.com|WebCopier|WebEMailExtrac.*|WebEnhancer|WebFetch|WebGo IS|Web.Image.Collector|WebLeacher|WebmasterWorldForumBot|WebReaper|WebSauger|WebSite|Website eXtractor|Website Quester|Webster|WebStripper|WebWhacker|WebZIP|Wget|Whacker|Widow|WISENutbot|WWWOFFLE|WWW-Collector-E|Xaldon|Xenu|Yeti|Zeus|Zyborg) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (;|<|’|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC] | |
| RewriteCond %{HTTP_USER_AGENT} .*\{.* [NC] | |
| RewriteRule .* - [F,L] | |
| RewriteCond %{HTTP_USER_AGENT} ":s:[0-9]+:" [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} "JDatabaseDriver" [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} "NT 5.1; SV1" [NC] | |
| RewriteRule .* - [F,L] | |
| RewriteCond %{HTTP:X-FORWARDED-FOR} ":s:[0-9]+:" [NC,OR] | |
| RewriteCond %{HTTP:X-FORWARDED-FOR} "JDatabaseDriver" [NC] | |
| RewriteRule .* - [F,L] | |
| # Filter out referer | |
| # s-0012 | |
| RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC] | |
| RewriteRule .* - [F,L] | |
| # Protect against SQL Injections and code injection | |
| # s-0013 | |
| RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(eval|chmod|chdir|mkdir|rmdir|clear|whoami|uname|unzip|gunzip|grep|more|umask|telnet|ssh|ftp|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query|file_get_contents)([^a-zA-Z0-9].+)*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|popen|proc_open)(.*)$ | |
| RewriteRule .* - [F,L] | |
| # s-0014 | |
| RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] | |
| RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] | |
| RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x3c|\x3e|\x7f).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [NC,OR] | |
| RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] | |
| RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] | |
| RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] | |
| RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (sp_executesql) [NC] | |
| RewriteRule .* - [F,L] | |
| # Block sensitive files | |
| # s-0015 | |
| <FilesMatch "\.(cfg|pl|htaccess|htpasswd|ini|phps|fla|psd|log|sh|sql|inc|tpl|svn|git|cvs|phtml|asp)$"> | |
| Order Allow,Deny | |
| Deny from All | |
| </FilesMatch> | |
| # Block unsafe system components | |
| # s-0017 | |
| RewriteRule /phpmy/ - [F,L] | |
| RewriteRule /phpmyadmin/ - [F,L] | |
| RewriteRule /phpMy/ - [F,L] | |
| RewriteRule /_phpmyadmin/ - [F,L] | |
| RewriteRule /pma/ - [F,L] | |
| RewriteRule /MyAdmin/ - [F,L] | |
| RewriteRule scripts/setup.php - [F,L] | |
| RewriteRule /backup - [F,L] | |
| RewriteRule dumper.php - [F,L] | |
| RewriteRule /admin/phpmyadmin - [F,L] | |
| RewriteRule /admin/pma - [F,L] | |
| RewriteRule /dbadmin - [F,L] | |
| RewriteRule /mysql-admin - [F,L] | |
| RewriteRule /mysqlmanager - [F,L] | |
| RewriteRule /mysql - [F,L] | |
| RewriteRule /phpadmin - [F,L] | |
| RewriteRule /phpmanager - [F,L] | |
| RewriteRule /phpmyadmin1 - [F,L] | |
| RewriteRule /phpmyadmin2 - [F,L] | |
| RewriteRule /phpMyAdmin-2 - [F,L] | |
| RewriteRule /php-myadmin - [F,L] | |
| RewriteRule /phpmy-admin - [F,L] | |
| RewriteRule /pma2005 - [F,L] | |
| RewriteRule /PMA2005 - [F,L] | |
| RewriteRule /p/m/a - [F,L] | |
| RewriteRule /pma - [F,L] | |
| RewriteRule /sqlmanager - [F,L] | |
| RewriteRule /sqlweb - [F,L] | |
| RewriteRule /typo3/phpmyadmin - [F,L] | |
| RewriteRule /webadmin - [F,L] | |
| RewriteRule /webdb - [F,L] | |
| RewriteRule /web/phpMyAdmin - [F,L] | |
| RewriteRule /xampp/phpmyadmin - [F,L] | |
| RewriteRule /myadminscripts/setup.php - [F,L] | |
| RewriteRule /mysqladmin - [F,L] | |
| RewriteRule /php-my-admin - [F,L] | |
| RewriteRule /phpmyadmin - [F,L] | |
| RewriteRule /websql - [F,L] | |
| RewriteRule /myadmin - [F,L] | |
| RewriteRule /sql/ - [F,L] | |
| RewriteRule /mysql/ - [F,L] | |
| RewriteRule /setup.php?dir - [F,L] | |
| RewriteRule /MSOffice/cltreq.asp - [F,L] | |
| RewriteRule ///?_SERVER[DOCUMENT_ROOT] - [F,L] | |
| RewriteRule //?_SERVER[DOCUMENT_ROOT] - [F,L] | |
| RewriteRule /pagead/test_domain.js - [F,L] | |
| RewriteRule /pagead/osd.js - [F,L] | |
| RewriteRule /pagead/expansion_embed.js - [F,L] | |
| RewriteRule /pagead/render_ads.js - [F,L] | |
| RewriteRule /pagead/atf.js - [F,L] | |
| RewriteRule (.*)\cmd.exe$ - [F,L] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment