Project

General

Custom queries

Profile

Actions

Support #16178

closed

Joomla Security Update

Added by Michele Artini about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Start date:
Feb 27, 2019
Due date:
% Done:

100%

Estimated time:
VREName:

Description

Message after the last Joomla update:

.htaccess & web.config security Update
Since version 3.9.3

Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. 
These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, 
where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The security teams recommends to manually apply the necessary changes to existing .htaccess or web.config files, 
as those files can not be updated automatically.

Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
  <customHeaders>
    <add name="X-Content-Type-Options" value="nosniff" />
  </customHeaders>
</httpProtocol>

Add

Subtasks


Add

Related issues

Updated by Andrea Dell'Amico about 6 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

Done. The second configuration entry cannot be applied to our apache server, it works with apache versions newer that the one we run.

Actions

Also available in: Atom PDF