Webserver-level mitigations for CVE-2023-23752

From Joomla! Documentation

Errors reported[edit]

I want to mitigate the issue fixed in 4.2.8 (CVE-2023-23752) using webserver-level measures like mod_security or mod_rewrite - how to do that?

Versions affected[edit]

General Information

This pertains only to Joomla! version(s): 4.0.0 - 4.2.7

How to fix[edit]


Add the following rule to the .htaccess file in your website root:

RewriteCond %{QUERY_STRING} public=
RewriteRule api/?. - [F]

Kudos to Nicholas Dionysopoulos for providing this rule.


SecRule REQUEST_URI "api/index.php/v1/" "chain,id:002370,t:lowercase,t:urlDecodeUni"
SecRule ARGS_GET_NAMES "^public$"