diff options
| -rw-r--r-- | files/conf.d/joomla.inc | 30 | ||||
| -rw-r--r-- | manifests/defines/vhost_varieties.pp | 2 | ||||
| -rw-r--r-- | manifests/joomla.pp | 5 | ||||
| -rw-r--r-- | templates/vhosts/php_joomla/CentOS.erb | 4 |
4 files changed, 41 insertions, 0 deletions
diff --git a/files/conf.d/joomla.inc b/files/conf.d/joomla.inc new file mode 100644 index 0000000..1535ce3 --- /dev/null +++ b/files/conf.d/joomla.inc @@ -0,0 +1,30 @@ +########## Begin - Rewrite rules to block out some common exploits +# against joomla's +# +# Block out any script trying to set a mosConfig value through the URL +RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] + +# Block out any script trying to base64_encode crap to send via URL +RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] + +# Block out any script that includes a <script> tag in URL +RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] + +# Block out any script trying to set a PHP GLOBALS variable via URL +RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] + +# Block out any script trying to modify a _REQUEST variable via URL +RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] + +# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue) +RewriteCond %{QUERY_STRING} CONFIG_EXT(\[|\%20|\%5B).*= [NC,OR] + +# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard) +RewriteCond %{QUERY_STRING} sbp(=|\%20|\%3D) [OR] +RewriteCond %{QUERY_STRING} sb_authorname(=|\%20|\%3D) + +# Send all blocked request to homepage with 403 Forbidden error! +RewriteRule ^(.*)$ index.php [F,L] +# +########## End - Rewrite rules to block out some common exploits + diff --git a/manifests/defines/vhost_varieties.pp b/manifests/defines/vhost_varieties.pp index 2e90f9e..cf2a98e 100644 --- a/manifests/defines/vhost_varieties.pp +++ b/manifests/defines/vhost_varieties.pp @@ -191,6 +191,8 @@ define apache::vhost::php::joomla( $manage_directories = true ){ + include apache::joomla + apache::vhost::phpdirs{"${name}": ensure => $ensure, php_upload_tmp_dir => $php_upload_tmp_dir, diff --git a/manifests/joomla.pp b/manifests/joomla.pp new file mode 100644 index 0000000..02f398b --- /dev/null +++ b/manifests/joomla.pp @@ -0,0 +1,5 @@ +# manifests/joomla.pp + +class apache::joomla { + apache::config::file{'joomla.inc': } +} diff --git a/templates/vhosts/php_joomla/CentOS.erb b/templates/vhosts/php_joomla/CentOS.erb index aa0714e..cf8a40a 100644 --- a/templates/vhosts/php_joomla/CentOS.erb +++ b/templates/vhosts/php_joomla/CentOS.erb @@ -23,6 +23,8 @@ <%- end -%> <%- if not ssl_mode.to_s == 'force' then -%> <Directory "<%= documentroot %>/"> + Include conf.d/joomla.inc + AllowOverride <%= allow_override %> <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%> <%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%>+Includes<%- end -%> @@ -96,6 +98,8 @@ AddDefaultCharset <%= default_charset %> <%- end -%> <Directory "<%= documentroot %>/"> + Include conf.d/joomla.inc + AllowOverride <%= allow_override %> <%- if options.to_s != 'absent' or do_includes.to_s == 'true' then -%> Options <%- unless options.to_s == 'absent' then -%><%= options %><%- end -%> <%- if do_includes.to_s == 'true' and not options.include?('+Includes') then -%>+Includes<%- end -%> |