HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php - My Forums

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

mrhaw — Oct 17, 2018, 06:59 PM

This is for EVO and Ditto. I only recommend people doing this for Revolution: https://forums.modx.com/thread/104072/security-issue-with-gallery-extra-below-1-7-1#dis-post-562056

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

BobRay — Oct 16, 2018, 06:18 AM

Quote from: mrhaw at Jul 03, 2014, 08:50 AM

Most security holes reside in Extras being uploaded to assets folder.

There are 3 things you can do to secure old sites:

2. Restrict access to .tpl and .php files in assets folder:
   Order allow,deny
   Deny from all

Disappearing Articles:

For others reading this thread, this kills Articles. No Articles show up when you go to "Manage Articles."

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

gavinbaylis — Aug 13, 2014, 09:00 AM

Well downloaded and installed the htaccess fixes from github and uploaded and net result on mobiles site was not using the main style css and within manager there was no tinymce ?

If I take the .htaccess out of assets manager works and the site looks ok on mobiles?

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

mediengaarage — Aug 13, 2014, 06:46 AM

In newer Easy2gallery installations you have to put the .htaccess not in folder /controllers but in the the folder assets/modules/easy2/includes/connector with this text:


Order deny,allow
allow from all

Then all works fine.

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

hgw7m — Aug 13, 2014, 06:19 AM

Did you also remove the numerous php-Files (like 123456.php) that were uploaded to some folders, like assets/images, assets/files and sometimes deeper into manager folder als well?

You should do clean updates to 1.0.14 as JaKo described in a post:
http://forums.modx.com/thread/92609/modx-evo-spamming#dis-post-506096

I have also changed passwords etc and deleted numerous snippet.ditto.2.php in both cache and assets/snippets/ditto dirs

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

hgw7m — Aug 13, 2014, 05:23 AM

Danke - für Easy2Gallery hat nun folgendes funktioniert:

Für die Funktion „Lightbox“ (oder anderer Viewer) im Frontend eine .htaccess in assets/modules/easy2 mit folgendem Inhalt:

Order deny,allow
allow from all

Für die Thumbnailanzeige im Backend eine .htaccess in
assets/modules/easy2/includes/controllers

Order deny,allow
allow from all

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

gavinbaylis — Aug 13, 2014, 05:17 AM

I have had a nightmare over this the past month - I am now deleting ditto and ajaxSearch as well as index-ajax.php in root for all sites not using the ditto & search functionality.

I have also disabled the forgot manager plugin

I would just like to confirm that the htaccess in the root should be configured like this now

SetEnvIfNoCase User-Agent "Jakarta Commons" keep_out
SetEnvIfNoCase User-Agent "Y!OASIS/TEST"    keep_out
SetEnvIfNoCase User-Agent "libwww-perl"     keep_out
SetEnvIfNoCase User-Agent "MOT-MPx220"      keep_out
SetEnvIfNoCase User-Agent "MJ12bot"         keep_out
SetEnvIfNoCase User-Agent "Nutch"           keep_out
SetEnvIfNoCase User-Agent "cr4nk"           keep_out


# For full documentation and other suggested options, please see
# http://svn.modxcms.com/docs/display/MODx096/Friendly+URL+Solutions
# including for unexpected logouts in multi-server/cloud environments
# and especially for the first three commented out rules

#php_flag register_globals Off
#AddDefaultCharset utf-8
#php_value date.timezone Europe/Moscow

Options +FollowSymlinks
RewriteEngine On
RewriteBase /

# Fix Apache internal dummy connections from breaking [(site_url)] cache
RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]
RewriteRule .* - [F,L]

# Rewrite domain.com -> www.domain.com -- used with SEO Strict URLs plugin
#RewriteCond %{HTTP_HOST} .
#RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
#RewriteRule (.*) http://www.example.com/$1 [R=301,L]

# Exclude /assets and /manager directories and images from rewrite rules
RewriteRule ^(manager|assets)/*$ - [L]
RewriteRule \.(jpg|jpeg|png|gif|ico)$ - [L]

# For Friendly URLs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)(reflect\.php|contact\.php)(.*) [NC,OR]
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ /blackhole/index.php? [R,L]

# Reduce server overhead by enabling output compression if supported.
#php_flag zlib.output_compression On
#php_value zlib.output_compression_level 5

As well as creating a new .htaccess in the assets folder dir


   Order allow,deny
   Deny from all

I have also changed passwords etc and deleted numerous snippet.ditto.2.php in both cache and assets/snippets/ditto dirs

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

Jako — Aug 13, 2014, 02:58 AM

Think this could work for multiTV. Create a .htaccess file in assets/tvs/multitv with the content:


   Order deny,allow
   allow from all

Same approach should work in easy2gallery (allowing only the thumbnail controller file to be executed).

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

mrhaw — Aug 12, 2014, 05:39 PM

Quote from: hgw7m at Aug 12, 2014, 11:05 AM

...
Is there a way to specify folders or certain php files to allow to be executed? Or specify a user (MODX System ...?) who is not denied? I'm aware that this may reduce the security effect of the rule...

Thanks for your hints again!

I need to make research on allowing a subfolder breaking free. As of now I can only think of placing individual .htaccess in all assets folders except modules. Then you could add some security by renaming the module folders + update the change in the include() / or header() paths.

This security measure also effects multiTV! It sounded like Jako had an idea how to workaround this...
http://forums.modx.com/thread/91265/modx-evolution-1-0-14-out-now#dis-post-499625

Re: HACK, check your site: /assets/snippets/ditto/snippet.ditto2.php

hgw7m — Aug 12, 2014, 06:05 AM

Hello mrhaw,

we now ran into a problem with mrhaw's great security todo recommendations and easy2gallery:

2. Restrict access to .tpl and .php files in assets folder:


   Order allow,deny
   Deny from all

Unfortunately this seems to prevent easy2gallery snippet to show thumbnails in manager (easy2-> Menu/Files) and to load big images i frontend

The timeline says that /assets/modules/easy2/includes/controllers is 403/Forbidden,

and

show.easy2gallery.php?fid=99
/assets/modules/easy2 is 403/Forbidden

Removing the htaccess rule makes the thumbnails and big images visible again.

Is there a way to specify folders or certain php files to allow to be executed? Or specify a user (MODX System ...?) who is not denied? I'm aware that this may reduce the security effect of the rule...

Thanks for your hints again!