We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

    • 2762
    • 1,198 Posts
    Nicola (Banzai) Reply #61, 9 years, 8 months ago
    Quote from: mrhaw at Aug 09, 2014, 02:05 PM

    Now this is the full spec:

    [i]--> This one does NOT re-direct to burp or blackhole but sends HTTP response 403 (FORBIDDEN).
    Security @ Line 1-7 and @ Line 57-141


    Testing on 4 servers:

    403 Forbitten redirect (Line 57-141), sometime fails on different server configuration.
    Moved to the top of htaccess, works with all.
      Free MODx Graphic resources and Templates www.tattoocms.it
      -----------------------------------------------------

      MODx IT  www.modx.it
      -----------------------------------------------------

      bubuna.com - Web & Multimedia Design
      • 36649
      • 77 Posts
      hgw7m Reply #62, 9 years, 8 months ago
      Hello mrhaw,

      we now ran into a problem with mrhaw's great security todo recommendations and easy2gallery:

      2. Restrict access to .tpl and .php files in assets folder:

      <filesmatch "\.(php|tpl)$">
   Order allow,deny
   Deny from all
</filesmatch>


      Unfortunately this seems to prevent easy2gallery snippet to show thumbnails in manager (easy2-> Menu/Files) and to load big images i frontend

      The timeline says that /assets/modules/easy2/includes/controllers is 403/Forbidden,

      and

      show.easy2gallery.php?fid=99
      /assets/modules/easy2 is 403/Forbidden

      Removing the htaccess rule makes the thumbnails and big images visible again.

      Is there a way to specify folders or certain php files to allow to be executed? Or specify a user (MODX System ...?) who is not denied? I'm aware that this may reduce the security effect of the rule...

      Thanks for your hints again!

      [ed. note: hgw7m last edited this post 9 years, 8 months ago.]
        • 20413
        • 2,877 Posts
        mrhaw Reply #63, 9 years, 8 months ago
        Quote from: hgw7m at Aug 12, 2014, 11:05 AM

        ...
        Is there a way to specify folders or certain php files to allow to be executed? Or specify a user (MODX System ...?) who is not denied? I'm aware that this may reduce the security effect of the rule...

        Thanks for your hints again!


        I need to make research on allowing a subfolder breaking free. As of now I can only think of placing individual .htaccess in all assets folders except modules. Then you could add some security by renaming the module folders + update the change in the include() / or header() paths.

        This security measure also effects multiTV! It sounded like Jako had an idea how to workaround this...
        http://forums.modx.com/thread/91265/modx-evolution-1-0-14-out-now#dis-post-499625
          @hawproductions | http://mrhaw.com/

          Infograph: MODX Advanced Install in 7 steps:
          http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

          Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
          http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
        • Jako Reply #64, 9 years, 8 months ago
          Think this could work for multiTV. Create a .htaccess file in assets/tvs/multitv with the content:
          <files multitv.connector.php>
   Order deny,allow
   allow from all
</filesmatch>


          Same approach should work in easy2gallery (allowing only the thumbnail controller file to be executed).
            • 36799
            • 40 Posts
            gavinbaylis Reply #65, 9 years, 8 months ago
            I have had a nightmare over this the past month - I am now deleting ditto and ajaxSearch as well as index-ajax.php in root for all sites not using the ditto & search functionality.

            I have also disabled the forgot manager plugin

            I would just like to confirm that the htaccess in the root should be configured like this now

            SetEnvIfNoCase User-Agent "Jakarta Commons" keep_out
SetEnvIfNoCase User-Agent "Y!OASIS/TEST"    keep_out
SetEnvIfNoCase User-Agent "libwww-perl"     keep_out
SetEnvIfNoCase User-Agent "MOT-MPx220"      keep_out
SetEnvIfNoCase User-Agent "MJ12bot"         keep_out
SetEnvIfNoCase User-Agent "Nutch"           keep_out
SetEnvIfNoCase User-Agent "cr4nk"           keep_out


# For full documentation and other suggested options, please see
# http://svn.modxcms.com/docs/display/MODx096/Friendly+URL+Solutions
# including for unexpected logouts in multi-server/cloud environments
# and especially for the first three commented out rules

#php_flag register_globals Off
#AddDefaultCharset utf-8
#php_value date.timezone Europe/Moscow

Options +FollowSymlinks
RewriteEngine On
RewriteBase /

# Fix Apache internal dummy connections from breaking [(site_url)] cache
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule .* - [F,L]

# Rewrite domain.com -> www.domain.com -- used with SEO Strict URLs plugin
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
#RewriteRule (.*) http://www.example.com/$1 [R=301,L]

# Exclude /assets and /manager directories and images from rewrite rules
RewriteRule ^(manager|assets)/*$ - [L]
RewriteRule \.(jpg|jpeg|png|gif|ico)$ - [L]

# For Friendly URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)(reflect\.php|contact\.php)(.*) [NC,OR]
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ /blackhole/index.php? [R,L]

# Reduce server overhead by enabling output compression if supported.
#php_flag zlib.output_compression On
#php_value zlib.output_compression_level 5


            As well as creating a new .htaccess in the assets folder dir

            <filesmatch "\.(php|tpl)$"="">
   Order allow,deny
   Deny from all
</filesmatch>


            I have also changed passwords etc and deleted numerous snippet.ditto.2.php in both cache and assets/snippets/ditto dirs
              • 36649
              • 77 Posts
              hgw7m Reply #66, 9 years, 8 months ago
              Danke - für Easy2Gallery hat nun folgendes funktioniert:

              Für die Funktion „Lightbox“ (oder anderer Viewer) im Frontend eine .htaccess in assets/modules/easy2 mit folgendem Inhalt:

              <filesmatch show.easy2gallery.php>
              Order deny,allow
              allow from all
              </filesmatch>

              Für die Thumbnailanzeige im Backend eine .htaccess in
              assets/modules/easy2/includes/controllers

              <filesmatch module.gallery.default.thumb.php>
              Order deny,allow
              allow from all
              </filesmatch>

                • 36649
                • 77 Posts
                hgw7m Reply #67, 9 years, 8 months ago
                Did you also remove the numerous php-Files (like 123456.php) that were uploaded to some folders, like assets/images, assets/files and sometimes deeper into manager folder als well?

                You should do clean updates to 1.0.14 as JaKo described in a post:
                http://forums.modx.com/thread/92609/modx-evo-spamming#dis-post-506096

                I have also changed passwords etc and deleted numerous snippet.ditto.2.php in both cache and assets/snippets/ditto dirs
                  • 39053
                  • 34 Posts
                  mediengaarage Reply #68, 9 years, 8 months ago
                  In newer Easy2gallery installations you have to put the .htaccess not in folder /controllers but in the the folder assets/modules/easy2/includes/connector with this text:

                  <filesmatch connector.php>
Order deny,allow
allow from all
</filesmatch>


                  Then all works fine.
                    • 36799
                    • 40 Posts
                    gavinbaylis Reply #69, 9 years, 8 months ago
                    Well downloaded and installed the htaccess fixes from github and uploaded and net result on mobiles site was not using the main style css and within manager there was no tinymce ?

                    If I take the .htaccess out of assets manager works and the site looks ok on mobiles? [ed. note: gavinbaylis last edited this post 9 years, 8 months ago.]
                      • 3749
                      • 24,544 Posts
                      BobRay Reply #70, 5 years, 6 months ago
                      Quote from: mrhaw at Jul 03, 2014, 08:50 AM
                      Most security holes reside in Extras being uploaded to assets folder.

                      There are 3 things you can do to secure old sites:

                      2. Restrict access to .tpl and .php files in assets folder:
                      <filesmatch "\.(php|tpl)$"="">
   Order allow,deny
   Deny from all
</filesmatch>


                      Disappearing Articles:

                      For others reading this thread, this kills Articles. No Articles show up when you go to "Manage Articles."
                        Did I help you? Buy me a beer
                        Get my Book: MODX:The Official Guide
                        MODX info for everyone: http://bobsguides.com/modx.html
                        My MODX Extras
                        Bob's Guides is now hosted at A2 MODX Hosting