Rename templates index.php file
91 views
Skip to first unread message
Mr Phil E. Taylor
Jun 29, 2009, 7:34:36 AM6/29/09
to joomla-...@googlegroups.com
Dear All.
Those of you that have had to deal with hacked sites in the past know
that hackers love to target index.php index.html default.php and
default.html files.
Having just had to tell a customer that his dream template's index.php
has just been replaced with a hacked file (with ofcourse no backups made
by the non-techie customer) I wonder if there is a case for not using
the index.php filename of the main file of a template? maybe call it
template.php or something else? or even better have it be anything the
template developer wants, but defined in the database or xml?
I know its not more "secure" but it will stop more and more people
losing their hard work.
Thoughts?
Kindest regards
Phil.
Stian Didriksen
Jun 29, 2009, 7:38:49 AM6/29/09
to joomla-...@googlegroups.com
Why not secure and backup your sites in the first place?
When the site is compromised in the first place, does the name of the
index.php file really matter?
How can you make the name confuse the hacker enough to not find it,
and at the same time not make the naming a mess?
When the site is compromised in the first place, does the name of the
index.php file really matter?
How can you make the name confuse the hacker enough to not find it,
and at the same time not make the naming a mess?
The only thing that can prevent users from loosing their hard work is
what they obviously failed to do in the first place, backups.
Andrew Eddie
Jun 29, 2009, 7:41:54 AM6/29/09
to joomla-...@googlegroups.com
I can see your point, but any php file could be overwritten as well.
I don't think it's a practical suggestion because it just shifts the
attack vector to the next weakest link.
I don't think it's a practical suggestion because it just shifts the
attack vector to the next weakest link.
Regards,
Andrew Eddie
http://www.theartofjoomla.com - the art of becoming a Joomla developer
2009/6/29 Mr Phil E. Taylor <ph...@phil-taylor.com>:
Amit Patekar
Jun 29, 2009, 7:47:57 AM6/29/09
to joomla-...@googlegroups.com
hi
all,
It makes no sense to change index.php to any other file name as any
hacker is smart enough to find the new file name.
the only thing we can do it take backup and keep it in safe place.
most important thing is to keep the proper file permissions,
folder->555
files->444
which is difficult to achieve this in joomla is difficult because of
the large number of files but there is not other alternative.
regards
webworldguru
http://www.webworldguru.com
--
Amit Patekar
Project Manager (Web Development Team)
Ph. 020-27474017
Mob. 9766368209,
9372450966
Add. 3/1 Prestige Complex
Chinchwad Station,
Telco Road, Near Sheetal Hotel,
Pune 411019
Maharashtra
India.
all,
It makes no sense to change index.php to any other file name as any
hacker is smart enough to find the new file name.
the only thing we can do it take backup and keep it in safe place.
most important thing is to keep the proper file permissions,
folder->555
files->444
which is difficult to achieve this in joomla is difficult because of
the large number of files but there is not other alternative.
regards
webworldguru
http://www.webworldguru.com
Amit Patekar
Project Manager (Web Development Team)
Ph. 020-27474017
Mob. 9766368209,
9372450966
Add. 3/1 Prestige Complex
Chinchwad Station,
Telco Road, Near Sheetal Hotel,
Pune 411019
Maharashtra
India.
joomlagate.com
Jun 29, 2009, 7:50:58 AM6/29/09
to joomla-...@googlegroups.com
I don't think rename the index.php filename is a good idea. It will make naming method a mess.
How about just make index.php unwritable after you set up the website and finished your settings?
Best regards,
joomlagate.com.
http://www.joomlagate.com
Chinese Joomla Users' Portal
How about just make index.php unwritable after you set up the website and finished your settings?
Best regards,
joomlagate.com.
http://www.joomlagate.com
Chinese Joomla Users' Portal
Mr Phil E. Taylor
Jun 29, 2009, 7:55:22 AM6/29/09
to joomla-...@googlegroups.com
I know I know I know - but there are thousands who dont :-)
The main type of hacker is not smart - its a automated script that
attacks index.php files - not specifically Joomla template files, but
any writable index.php file. Thats my point, index.php is a reserved
filename for the default file in a folder and thats why hackers/hacking
scripts target them - it has nothing to do with it being Joomla or a
Joomla template at all.
IIRC Drupal uses template.php and a configurable file name :-)
It just seems very easy picking to me. Easy to change.
Yes it doesnt make Joomla any more "secure" but it does stop automated
index.php replacing hacks from messing you around...
just a thought.
Mr Phil E. Taylor
Jun 29, 2009, 7:58:06 AM6/29/09
to joomla-...@googlegroups.com
infact Joomla ENCOURAGES writable permissions on the template index.php
files so they can be modified using the admin console :-) maybe that
feature should be removed? just an afterthought :-)
files so they can be modified using the admin console :-) maybe that
feature should be removed? just an afterthought :-)
Antti Tuppurainen
Jun 29, 2009, 7:58:37 AM6/29/09
to joomla-...@googlegroups.com
In serverwide attacks I have seen many automatic scripts that just loop all files in every website configured to server and replaces content in index.php - so I am with Phil's idea!
Joomla files can be easily overridden with those from installer zip/tgz file, but template files are certainly not included to daily backup basics.
2009/6/29 joomlagate.com <jooml...@gmail.com>
I don't think rename the index.php filename is a good idea. It will make naming method a mess.
How about just make index.php unwritable after you set up the website and finished your settings?
Hannes Papenberg
Jun 29, 2009, 8:28:40 AM6/29/09
to joomla-...@googlegroups.com
I don't think it would make a real difference to change the name of the
main template file to something else than index.php in terms of
security. Hackers will find the new template file just as easily.
However, I would change the name for support and clearity reasons. You
often enough have users that want to change their template or have been
hacked and you tell them to go to the index.php file and delete the
hackers code. They go to the first index.php file that they find, delete
the unknown code and their site is unusable, since they deleted the
index.php file in the root of Joomla. By changing this to maybe
main.php, this would be more clear. It would also enforce the idea, that
the current index.php file is not a special file, that needs to be there
all the time. It makes it more obvious to me at least, that
component.php and error.php basically have the same importance like
index.php and are also used to style your output.
main template file to something else than index.php in terms of
security. Hackers will find the new template file just as easily.
However, I would change the name for support and clearity reasons. You
often enough have users that want to change their template or have been
hacked and you tell them to go to the index.php file and delete the
hackers code. They go to the first index.php file that they find, delete
the unknown code and their site is unusable, since they deleted the
index.php file in the root of Joomla. By changing this to maybe
main.php, this would be more clear. It would also enforce the idea, that
the current index.php file is not a special file, that needs to be there
all the time. It makes it more obvious to me at least, that
component.php and error.php basically have the same importance like
index.php and are also used to style your output.
That said, I wouldn't discuss this solely on the standpoint of security,
but more in terms of support and improving peoples understanding of the
system. In the end however, this is a small change with a whooping huge
impact on the community, which is why I'm hesitant to include it. A
legacy layer for this would be possible, but it would cost a little bit
performance...
Hannes
Mr Phil E. Taylor schrieb:
Andrew Eddie
Jun 29, 2009, 7:10:40 PM6/29/09
to joomla-...@googlegroups.com
I can get behind that - and they are good reasons.
I wouldn't bother with the legacy support for index.php - a name
change is fine. They can do that while dropping the legacy layout
overrides for 1.5 compatibility.
"main.php" doesn't really grab me but I can't think of anything better.
2009/6/29 Hannes Papenberg <hack...@googlemail.com>:
I wouldn't bother with the legacy support for index.php - a name
change is fine. They can do that while dropping the legacy layout
overrides for 1.5 compatibility.
"main.php" doesn't really grab me but I can't think of anything better.
2009/6/29 Hannes Papenberg <hack...@googlemail.com>:
Carolien
Jun 30, 2009, 3:29:14 AM6/30/09
to Joomla! CMS Development
Andrew Eddie wrote:
> "main.php" doesn't really grab me but I can't think of anything better.
What about template.php ? Then it's clear for Joomla! noobs which file
> "main.php" doesn't really grab me but I can't think of anything better.
is the main template file. Or maybe it's better to say
main_template.php . The only problem with template.php is that it
seems a more important file than component.php or error.php .
Regards, Carolien
On Jun 30, 1:10 am, Andrew Eddie <mambob...@gmail.com> wrote:
> I can get behind that - and they are good reasons.
>
> I wouldn't bother with the legacy support for index.php - a name
> change is fine. They can do that while dropping the legacy layout
> overrides for 1.5 compatibility.
>
> "main.php" doesn't really grab me but I can't think of anything better.
>
> Regards,
>
> 2009/6/29 Hannes Papenberg <hackwa...@googlemail.com>:
>
> - Show quoted text -
Amy Stephen
Jun 30, 2009, 7:51:48 AM6/30/09
to joomla-...@googlegroups.com
If this name is going to be changed, is it possible to make it a configuration option that defaults to index.php for good backwards comparability?
G. D. Speer
Jun 30, 2009, 11:13:34 AM6/30/09
to joomla-...@googlegroups.com
Is there a reason to change the name just because
associated legacy functionality is being dropped?
Is the name change to signify it's been reviewed/adapted
for use in 1.6?
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.339 / Virus Database: 270.13.0/2209 - Release Date: 06/29/09 14:43:00
Amy Stephen
Jun 30, 2009, 11:58:51 AM6/30/09
to joomla-...@googlegroups.com
A point has been raised that many security cracks target the index.php file for Templates. The basis of that argument is since many of these idiots are, indeed, idiots, it might help reduce the incident rate if the name is changed from index.php to something else. There is some truth to that.
Andrew pointed out security by obscurity really isn't a good defense which Hannes then agreed with but pointed out a second reason why this change could be helpful mentioning that during a crack cleanup, less technical people sometimes accidentally delete the root index.php file, rather than the template index.php file, thus shooting themselves in the foot during a time they are already bleeding from another bullet wound. For that reason, Hannes suggested it might be worthwhile to make this template index.php file change, anyway.
Then, Andrew said he could see some benefit to that, suggested using main.php. Carolien suggested template.php. Then I said, "Hey! What about making it a parameter" because someone has to make that suggestion and it had not yet been raised.
Then you read this long thread and assumed we were discussng legacy issue, instead of a security/usability change, but really this isn't legacy.
And, here we are. :) Hope that helps. lol - isn't communication fun?
Andrew pointed out security by obscurity really isn't a good defense which Hannes then agreed with but pointed out a second reason why this change could be helpful mentioning that during a crack cleanup, less technical people sometimes accidentally delete the root index.php file, rather than the template index.php file, thus shooting themselves in the foot during a time they are already bleeding from another bullet wound. For that reason, Hannes suggested it might be worthwhile to make this template index.php file change, anyway.
Then, Andrew said he could see some benefit to that, suggested using main.php. Carolien suggested template.php. Then I said, "Hey! What about making it a parameter" because someone has to make that suggestion and it had not yet been raised.
Then you read this long thread and assumed we were discussng legacy issue, instead of a security/usability change, but really this isn't legacy.
And, here we are. :) Hope that helps. lol - isn't communication fun?
G. D. Speer
Jun 30, 2009, 5:18:59 PM6/30/09
to joomla-...@googlegroups.com
Amy, Thank you - I had picked up the
thread from Eddie/Carolien on and missed the first point - my
baaad!
I'll agree that security by obscurity that has no
uniqueness is only going to delay the inevitable vulnerability.
Your suggestion is clever and has simple elegance - it will work until a bot is programmed to notice a recurring URL/page file naming pattern within a site; but until then ....
Your suggestion is clever and has simple elegance - it will work until a bot is programmed to notice a recurring URL/page file naming pattern within a site; but until then ....
Duke
g s
Jun 30, 2009, 7:39:46 PM6/30/09
to joomla-...@googlegroups.com
this discussion went in the wrong direction.
as already pointed out, the core problem is system security, a
widespread problem on poorly configured webhosting system.
so, won't it be more productive to make people understand how can they
choose an hosting provider or setup their server ?
some steps has already been made by the dev team and the community:
just think about security checklist, suggested provider list, article
about hosting provider in community blogs, service directory and so on
just think about how many providers do not use suphp or phpfcgi (the
popular parallels plesk untill the last ver.9 relase does not have
it!) or how many of them does not disable functions used only by
malicious script.
as a correct environment setup take cares of major security problem
and as a misconfigured system creates more problem than it should,
wouldn't it be better for the whole community to give more credit to
serious hosting providers ?
the market, slowly, will sure evolve in favour of those ISP which
seriously take cares of security, but for the average user it's very
hard to understand which one suits his needs simply because the
average user choose joomla for it simplicity and don't care too much
about technicism.
i believe in free market, but isn't the time mature to create a sort
of logic to select good and bad provider for joomla hosting ?
take this as a provocation :)
my best regards
Gabriele Sabadini
------
The information contained in this message as well as the attached
file(s) is confidential and is only intended for the person to whom it
is addressed (675/96 - D.lgs 196/03 - Direttiva 2002/58/CE)
This message has been processed against viruses.
as already pointed out, the core problem is system security, a
widespread problem on poorly configured webhosting system.
so, won't it be more productive to make people understand how can they
choose an hosting provider or setup their server ?
some steps has already been made by the dev team and the community:
just think about security checklist, suggested provider list, article
about hosting provider in community blogs, service directory and so on
just think about how many providers do not use suphp or phpfcgi (the
popular parallels plesk untill the last ver.9 relase does not have
it!) or how many of them does not disable functions used only by
malicious script.
as a correct environment setup take cares of major security problem
and as a misconfigured system creates more problem than it should,
wouldn't it be better for the whole community to give more credit to
serious hosting providers ?
the market, slowly, will sure evolve in favour of those ISP which
seriously take cares of security, but for the average user it's very
hard to understand which one suits his needs simply because the
average user choose joomla for it simplicity and don't care too much
about technicism.
i believe in free market, but isn't the time mature to create a sort
of logic to select good and bad provider for joomla hosting ?
take this as a provocation :)
my best regards
Gabriele Sabadini
------
The information contained in this message as well as the attached
file(s) is confidential and is only intended for the person to whom it
is addressed (675/96 - D.lgs 196/03 - Direttiva 2002/58/CE)
This message has been processed against viruses.
Amy Stephen
Jun 30, 2009, 8:21:17 PM6/30/09
to joomla-...@googlegroups.com
Sadly, my idea would only be clever w a patch. :)
Mitch Pirtle
Jun 30, 2009, 11:54:08 PM6/30/09
to joomla-...@googlegroups.com
Two things on this subject - one practical, the other a personal rant.
Joomla only providing one single file called index.php in the base
distribution IMHO would be a beautiful thing on many levels -
especially if it did not introduce significant complexity or
performance penalty for doing so, but that would depend on the
implementation strategy.
On the practicality side, it is simply not logical to presume that
since someone didn't secure their webserver properly, Joomla should
punish them by deliberately being a sitting duck for the skr1pt
k1dd13z. We should take steps so we can proudly say "you can hack
Joomla, but you gotta do it with a lot of love" as opposed to "hey,
your server got hacked, so let's make this a piece of cake for the bad
guys to totally deface hundreds of files with little or no technical
expertise whatsoever." That's 'power in simplicity' gone horribly
wrong. :-)
The personal rant is that at least two to three times a day I find
myself with eclipse having fifteen tabs open for files all called
index.php. For the love of $deity, can we please, PLEASE introduce
some uniqueness? Talk about retinal stress! hehe
-- Mitch
Joomla only providing one single file called index.php in the base
distribution IMHO would be a beautiful thing on many levels -
especially if it did not introduce significant complexity or
performance penalty for doing so, but that would depend on the
implementation strategy.
On the practicality side, it is simply not logical to presume that
since someone didn't secure their webserver properly, Joomla should
punish them by deliberately being a sitting duck for the skr1pt
k1dd13z. We should take steps so we can proudly say "you can hack
Joomla, but you gotta do it with a lot of love" as opposed to "hey,
your server got hacked, so let's make this a piece of cake for the bad
guys to totally deface hundreds of files with little or no technical
expertise whatsoever." That's 'power in simplicity' gone horribly
wrong. :-)
The personal rant is that at least two to three times a day I find
myself with eclipse having fifteen tabs open for files all called
index.php. For the love of $deity, can we please, PLEASE introduce
some uniqueness? Talk about retinal stress! hehe
-- Mitch
Andrew Eddie
Jul 1, 2009, 12:57:15 AM7/1/09
to joomla-...@googlegroups.com
I think making the file name configurable makes it difficult to set a
"standard", particularly for training people "the Joomla way".
Regards,
Andrew Eddie
http://www.theartofjoomla.com - the art of becoming a Joomla developer
2009/7/1 Amy Stephen <amyst...@gmail.com>:
"standard", particularly for training people "the Joomla way".
Regards,
Andrew Eddie
http://www.theartofjoomla.com - the art of becoming a Joomla developer
2009/7/1 Amy Stephen <amyst...@gmail.com>:
Sam Moffatt
Jul 1, 2009, 1:30:11 AM7/1/09
to joomla-...@googlegroups.com
I like the idea of template.php, we can always try to load it first
and if it fails work backwards to an index.php file if need be. I can
certainly see the usability argument in it and agree. Template people
will instead end up with a whole heap of 'template.php' files instead
of 'index.php', not sure if this is of concern however setting a
configurable custom file name would mean that you have to put it
somewhere that your parse every time for your template to check if a
custom file name has been set or not, seems like a strange hit to
performance when the majority of times the file name isn't going to
change once its deployed.
Though I'm sort of tempted, at this point they've got control of your
file system obviously - they can create/leave far worse payloads than
attacking a template file. I'm just curious, what was the attack
vector in this case Phil? Was it something in the Joomla! Core, a
third party extension or something else?
Sam Moffatt
http://pasamio.id.au
and if it fails work backwards to an index.php file if need be. I can
certainly see the usability argument in it and agree. Template people
will instead end up with a whole heap of 'template.php' files instead
of 'index.php', not sure if this is of concern however setting a
configurable custom file name would mean that you have to put it
somewhere that your parse every time for your template to check if a
custom file name has been set or not, seems like a strange hit to
performance when the majority of times the file name isn't going to
change once its deployed.
Though I'm sort of tempted, at this point they've got control of your
file system obviously - they can create/leave far worse payloads than
attacking a template file. I'm just curious, what was the attack
vector in this case Phil? Was it something in the Joomla! Core, a
third party extension or something else?
Sam Moffatt
http://pasamio.id.au
Antti Tuppurainen
Jul 1, 2009, 2:20:27 AM7/1/09
to joomla-...@googlegroups.com
Just some more thoughts about this issue
2) /public_html/templates/mytheme/page.html.php is also better than options in 3.
3) /public_html/templates/mytheme/main.php or template.php or index.php
And for cross posting another tread: http://groups.google.com/group/joomla-dev-cms/browse_thread/thread/532981da1b4fc95f?hl=en-GB
The power should be in the template and templates css. As a sitebuilder I don't like at all that 3rd party component/module developers add their own css/javascripts to head that are hard to override in template.css
From yesterdays live example - it is hard jump between all these files:
edit adminsitrator/components/com_virtuemart/html/shop.product_details.php
edit components/com_virtuemart/themes/ja_larix/templates/common/shopIndex.tpl.php
edit components/com_virtuemart/themes/ja_larix/theme.css
edit modules/mod_gk_tab/styles/horizontal/style1.css
edit templates/mytheme/html/com_content/category/blog_item.php
edit templates/mytheme/css/template_css.css
and when it comes to plugins and adding mvc like output to some of them it just creates more places to edit things.
I propose that template overrides can include also component, plugin and module overrides
So from yesterdays example I would _like_ copy shop_product_details.php to
templates/mytheme/administrator/com_virtuemart/shop.product_details.php
copy shopIndex.tpl.php to
templates/mytheme/components/com_virtuemart/common/shopIndex.tpl.php
copy theme.css to
templates/mytheme/components/com_virtuemart/theme.css
copy style1.css to
templates/mytheme/modules/mod_gk_tab/styles/horizontal/style1.css
and with the same naming convention copy blog_item.php to
templates/mytheme/components/com_content/category/blog_item.php
so the theme folder structure would be
mytheme/administrator/
mytheme/components/
mytheme/modules/
mytheme/plugins/
mytheme/template.html.php
Would this give the feeling "simplicity with power"?
Reply all
Reply to author
Forward
0 new messages