SOLVED Warnings from RSFirewall
-
-
- andrewm57
- Sr. Rocketeer
- Posts: 189
- Thanks: 1
-
New site with J3.6.0, Ambrosia 1.1.1, Gantry 5.2.14
Ran a System Scan with RSFirewall and it returned warnings for 9 RT/Gantry files. Hiding the details below.
Part of the message is hidden for the guests. Please log in or register to see it. - HawkFeather Web Design
-
-
-
- Matt
- Preeminent Rocketeer
- Posts: 22254
- Thanks: 3223
- messin' with stuff
-
False positives that they refuse to change... please see here:
www.rockettheme.com/forum/developer-loun...ites?start=0#1298758
www.rockettheme.com/forum/joomla-templat...ions?start=0#1294169 - SEARCH the forum first! These boards are rich in knowledge and vast in topics. This includes searching just the 'Solved' forums, using Google, and using ChatGPT
-
-
-
- andrewm57
- Sr. Rocketeer
- Posts: 189
- Thanks: 1
- First link is 403 for me, but the 2nd spells out the issue. Kinda expected that, thanx.
- HawkFeather Web Design
-
-
-
- Matt
- Preeminent Rocketeer
- Posts: 22254
- Thanks: 3223
- messin' with stuff
-
From the other thread:
While I think that RS Firewall is a great extension to have, I personally think that they have taken too paranoid approach against malware making their extension to detect code that is the official recommendation in PHP documentation on how to properly use the function. There is no such thing in PHP as "Unsafe directory creation" and if you want to read more about it, you can just visit PHP documentation: php.net/manual/en/function.mkdir.php
PHP filters the directory permissions by the configuration found in php.ini file; 0777 becomes 0755 in most systems. In fact 0777 is the default parameter for the function and recommended to be used unless you are creating a temporary directory.
I've contacted RS Firewall authors about removing or changing the misleading warning, but they refused to do it claiming that most malware happens to contain that code. The issue to me is that the same code can be found from almost all PHP code because of it happens to be the recommended way to write that code.
The second type of warning (like most of the mkdir ones) comes from Doctrine, which is one of the most used and very famous PHP library out there. The "obfuscated code" is used to detect and remove illegal latin1 characters from the strings. Because of they are not UTF8, they cannot be written as characters but as codes, so in this case its a false alarm.
PS: In the past I've worked as a security specialist for 7 years creating firewall software (IPS) that detects attack patterns and blocks them. So I consider myself as being a security expert.
We are using some external libraries, which aren't part of Joomla (Joomla itself has its own directory creation function you can use). Most of the results are coming from those well known 3rd party libraries. Rest of them are coming from file caching.
The attacks are not coming from above files (I have checked all of them), but of course there can always be some other loophole which hackers can use. But if there is, RSFirewall isn't aware of the attack vector which was used.
Which version of Joomla did you have in those sites? Every single version below 3.4.6 (including J! 1.5 and 2.5) is vulnerable to remote code execution vulnerability which allows attacker to run his own code and replace for example includes.php with malicious version of the file. The attacks were so common that unpatched Joomla sites (without a firewall that blocked the attack) were almost all compromised within 24 hours, many of them in few hours from the Joomla release.
The issue with hacked sites is that hackers usually add some fairly innocent looking file which allows them to hack the site again and again even if it was later patched.
-Matias - Last Edit: 8 years 8 months ago by Matt.
-
The following users have thanked you: Shannon Barnett
- SEARCH the forum first! These boards are rich in knowledge and vast in topics. This includes searching just the 'Solved' forums, using Google, and using ChatGPT
-
Time to create page: 0.039 seconds