# joomla3 and lighttpd security

## msst

I am using since several years lighttpd on a small mini-server. Which does its job in a nice lean way.

About the only problem is usually packages that make heavy use of .htaccess configs. One such package is joomla, which uses e.g. a central .htaccess

```
## Begin - Rewrite rules to block out some common exploits.

# If you experience problems on your site then comment out the operations listed 

# below by adding a # to the beginning of the line.

# This attempts to block the most common type of exploit `attempts` on Joomla!

#

# Block any script trying to base64_encode data within the URL.

RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]

# Block any script that includes a <script> tag in URL.

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

# Block any script trying to set a PHP GLOBALS variable via URL.

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Block any script trying to modify a _REQUEST variable via URL.

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

# Return 403 Forbidden header and show the content of the root homepage

RewriteRule .* index.php [F]

#

## End - Rewrite rules to block out some common exploits.

```

Now lighttpd will simply ignore this file. And it will work, but might be open to some exploit vectors due to not catching these blocking rewrites.

I have googled for joomla3 and lighttpd and surprisingly no obvious solution or translation of these rewrites comes up (lighttpd can also use rewrites, just the location and format differs). With so many joomla installations that is surprising.

Are these rewrites considered obsolete? Or is simply noone using joomla on lighttpd? Does someone know which lighttpd rewires one should use instead of this htaccess file?

----------

## Syl20

Historically, the .htaccess files are an apache feature. Why not replace lighttpd, if it stops using them ?

----------

## msst

 *Quote:*   

> Why not replace lighttpd, if it stops using them ?

 

Lighttpd uses a different configuration syntax and has never used these files. As you say, these files are apache specific. Lighttpd works very well for everything else however and I have it fully set up for the rest, so I am reluctant to replace it with a much fatter package such as apache, that I have to completely reconfigure then.

As joomla is a very broadly used package I was and am wondering why that topic lighttpd / joomla and its apache specific config file is not yet covered anywhere. Sure many are using joomla and not everyone is using apache as webserver daemon.

----------

## Hu

Those rewrites appear to be attempts to blacklist selected strings that might, if passed to a sufficiently buggy version of joomla, result in a security problem.  If you are not running a version of joomla with security bugs, the rewrites are unnecessary.  If you are running a version with security bugs (or are worried that there might be security bugs), the filters ought to be based on whitelisting good inputs, not blacklisting bad ones.  Blacklisting bad inputs is always bad practice, because you need to blacklist every possible bad input.  Blacklisting the inputs outside the tool itself is even worse since, as you discovered here, users now must run the tool inside a wrapper that applies the blacklist.  Perhaps you have not found any guides for other daemons because no one else has wanted joomla to the point they were willing to port the blacklist to other access languages.

The script rewrite rule could be made obsolete with a simple Content Security Policy to prevent inline scripts, so that any bugs which inject a script into the page are blocked by the browser's sandbox.

----------

## msst

I totally agree that relying on a specific external config file, which is only used in certain circumstances and otherwise ignored, is bad coding practice. But that is what ships with the most current joomla stable version...

It is very likely meant as a 2nd line of defense and as such a whitelist would be better, but it would also be extremely complicated to whitelist every possible parameter than joomla plus its numerous extensions can potentially use. There would be thousands of possible legitimate request forms.

 *Quote:*   

> Perhaps you have not found any guides for other daemons because no one else has wanted joomla to the point they were willing to port the blacklist to other access languages. 

 

Possible. But joomla is used on a huge number of sites, many many millions of servers. And lighttpd is one of the more popular apache alternatives. It is thus basically statistically guaranteed that a certain number of webservers run lighttpd / joomla as a combo. In this case this apache config file is then simply ignored - with the site otherwise working perfectly, just not filtering these few requests. And I have found such ports for less frequently used stuff, so I was wondering what the status of these configs is.

----------

