Dean Marshall Consultancy Ltd

Freephone:     0800 756 6482
International: +44 1524 63492
Lancaster UK: (01524) 63492
Joomla!® Security and Support Experts

DMC Firewall Security Issue - version 1.3 and below

It was reported to us that the backed-up version of either the '.htaccess' or 'web.config' file was publicly reachable by going to 'yourdomain.com/backup.htaccess' or 'yourdomain.com/backup.web.config' - exposing any custom rules that you may have set.

When was the backup created?

The backup was created when you either installed or updated DMC Firewall when you had a '.htaccess' or 'web.config' file in the root of your web-space and our edits wen't already present in your server file. During the installation/update routines, DMC Firewall makes a number of edits to your server file but before these edits are made - a backup is made just in case something goes wrong.

What have you done to fix this

DMC Firewall 1.4 addresses this issue by moving the backed-up version into a separate 'backups' folder located within 'administrator/components/com_dmcfirewall/backups' with the date and time (yyyy-mm-dd-hh-mm-ss) that update DMC Firewall (backup.htaccess-2016-04-10-15-00-00). Access to this folders content is blocked with '.htaccess/web.config' rules - any one that tries to access this folder/content within it will be presented with a '403 Forbidden' message.

We recommend everyone to update to DMC Firewall 1.4