Now this is the full spec:
[i]--> This one does NOT re-direct to burp or blackhole but sends HTTP response 403 (FORBIDDEN).
Security @ Line 1-7 and @ Line 57-141
<filesmatch "\.(php|tpl)$"> Order allow,deny Deny from all </filesmatch>
...
Is there a way to specify folders or certain php files to allow to be executed? Or specify a user (MODX System ...?) who is not denied? I'm aware that this may reduce the security effect of the rule...
Thanks for your hints again!
<files multitv.connector.php> Order deny,allow allow from all </filesmatch>
SetEnvIfNoCase User-Agent "Jakarta Commons" keep_out SetEnvIfNoCase User-Agent "Y!OASIS/TEST" keep_out SetEnvIfNoCase User-Agent "libwww-perl" keep_out SetEnvIfNoCase User-Agent "MOT-MPx220" keep_out SetEnvIfNoCase User-Agent "MJ12bot" keep_out SetEnvIfNoCase User-Agent "Nutch" keep_out SetEnvIfNoCase User-Agent "cr4nk" keep_out # For full documentation and other suggested options, please see # http://svn.modxcms.com/docs/display/MODx096/Friendly+URL+Solutions # including for unexpected logouts in multi-server/cloud environments # and especially for the first three commented out rules #php_flag register_globals Off #AddDefaultCharset utf-8 #php_value date.timezone Europe/Moscow Options +FollowSymlinks RewriteEngine On RewriteBase / # Fix Apache internal dummy connections from breaking [(site_url)] cache RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC] RewriteRule .* - [F,L] # Rewrite domain.com -> www.domain.com -- used with SEO Strict URLs plugin #RewriteCond %{HTTP_HOST} . #RewriteCond %{HTTP_HOST} !^www\.example\.com [NC] #RewriteRule (.*) http://www.example.com/$1 [R=301,L] # Exclude /assets and /manager directories and images from rewrite rules RewriteRule ^(manager|assets)/*$ - [L] RewriteRule \.(jpg|jpeg|png|gif|ico)$ - [L] # For Friendly URLs RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.php?q=$1 [L,QSA] RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC,OR] RewriteCond %{QUERY_STRING} (.*)(reflect\.php|contact\.php)(.*) [NC,OR] RewriteCond %{QUERY_STRING} proc/self/environ [OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ /blackhole/index.php? [R,L] # Reduce server overhead by enabling output compression if supported. #php_flag zlib.output_compression On #php_value zlib.output_compression_level 5
<filesmatch "\.(php|tpl)$"=""> Order allow,deny Deny from all </filesmatch>
I have also changed passwords etc and deleted numerous snippet.ditto.2.php in both cache and assets/snippets/ditto dirs
<filesmatch connector.php> Order deny,allow allow from all </filesmatch>
Most security holes reside in Extras being uploaded to assets folder.
There are 3 things you can do to secure old sites:
2. Restrict access to .tpl and .php files in assets folder:
<filesmatch "\.(php|tpl)$"=""> Order allow,deny Deny from all </filesmatch>