OneThird CMS

Lightweight CMS for Small website, Web application framework.

Download Document

japanese

For security in the WAF and OneThird CMS

About WAF

WAF (Web Application Firewall), it is considered not to operate under normal WAF works with OneThird CMS bad is very compatible and CMS

If, if you want to co-exist with WAF, another making the URL for updates that you can access in addition to the URL for the public, there is a way not lotus the WAF only the URL over the BASIC authentication

To the URL make two, after the setting of the apache, make the following description in config.php

Example

$ {For ()}

In the example, will be the URL that URL with WAF that domain1.com uses normal user, domain2.com was multiplied by the BASIC authentication


For OneThird CMS security

In OneThird CMS, in addition to the basic security measures, and in particular strengthening the following points:

  1. And the document title, easy to string that contains the vulnerability for data other than in the text, <> and "(double quotes) '(be removed all at sanitization function of the standard) that you are no longer can use the (single quotation marks)
    → inconvenient There is also a point, but it is policy to ensure that control characters from entering the DB to as much as possible
  2. All tokens must be in the POST data
    POST no → token will all result in an error, also if the POST without a token was followed by a non-login state, shut out regarded as attack the access from that IP address
  3. Mechanism to hide the placement folder accessible php program built-in is
    →  will be less likely to be attacked by hiding the URL and login URL around the control panel


Hide URL and login URL around the control panel

Is a famous story from being scanned the CMS in wp-login.php, such as WordPress attack

In addition, the direct access to the following php file County admin, including vulnerability, will also be seen here and there the case to be tampering with the site

Originally it does not attack in Puraguramu that is designed to secure established, but it is not because the program is 100%

So as insurance measures, method of Let hide all the management Puraguramu is the way to be described below

In OneThird CMS, accessible php Puraguramu is index.php and, admin only the following programs

The admin folder will strongly to attack from the outside only by multiplying the BASIC authentication, but it is somewhat cumbersome

So more easily than v1.70, now it supports a way to hide the URL of all of the management program, including the login program as a function of CMS

also login url v1.70 was previously possible change, the previous method, those who are using, please change to this method

Change is easy, you only need to change two places the file

First of all, to config.php

$config [ 'admin_dir'] = guess is hard to string;

Please set the

When it is installed on or after v1.70, from the beginning $config [ 'admin_dir'] entry has been written so please comment out


Guess is difficult to string, please to the string of offense there is no length in operation

Here, admin01ab

If you set the

Next, open the .htaccess directly under the installation folder,

RewriteEngine On

Just below the

RewriteRule ^.*/?(admin[0-9a-zA-Z]*)/(.*)$ index.php?__admin=$1&__pg=$2&%{QUERY_STRING} [L] 

Please add write

This is also the case that have been installed since v1.70, please comment out the appropriate line


When you do this modification, the login URL

Installation URL / login

Install from URL / admin01ab / login

It will be changed to


For the number of digits of the login URL

Example I think the string was added to the URL is some people think that is considered to be less has become a four-digit

But the probability, which is also broken in the four digits in about one-1600000 minutes, yet does not mean you can log in with where it was found that this URL

Meaning to change the URL is to avoid the indiscriminate attacks by bot

In addition, in the .htaccess

RewriteRule ^.*/?(admin[0-9a-zA-Z]*)/(.*)$ index.php?__admin=$1&__pg=$2&%{QUERY_STRING} [L] 

For it is written, and access to the installation URL / admin ??? other than the installation URL / admin01ab / login, assumes that the bot attack because it is not the original URL

More specifically, in the same IP, will be the access and wrong 100 about the access to the URL is concentrated until the next day to shut out

For this reason, it is difficult to identify by scanning the login URL

URL is OK even if not so long is why

Of course, it can be longer if there is no operational problems

Than above-mentioned reason, if you hide the URL, page alias, such as admin ??? the normal page please do not create


Furthermore, if you want to operate in a secure it is recommended that you use a static output

Although you will not be able to use a lot of plug-ins, we recommend a static output from the speed surface and security aspects for not particularly necessary site

In OneThird CMS, you can also freely set further can be done easily static output destination

Please try



Google Website Translator - Google Translate