ForumPostersUnion.com

miqrogroove · #1 01-01-2010, 06:30 PM

I just invented a cool bit of code for mod_rewrite:

Code:

RewriteCond %{THE_REQUEST} [:<>"]
RewriteRule .* - [R=400,L]

This is something Apache ought to do on it's own, but doesn't. It instructs the server to reject any request that contains the Reserved Character colon, or the Excluded Characters less-than, greater-than, or double-quote.

It is making admin life a lot easier!

AnthonyCea · #2 01-01-2010, 06:32 PM

If this works to reduce requests by bad bots you should submit it to the developers, thanks, I will have my technical administrator look at this.

miqrogroove · #3 01-01-2010, 06:51 PM

It needs just a bit of fine tuning. Usually there is an ErrorDocument such as 400.html that needs to be present and handled properly to avoid the server logging a 500 status. So:

Code:

RewriteCond %{THE_REQUEST} [:<>"]
RewriteRule !^400\.html$ - [R=400,L]

Now Apache is happy too

miqrogroove · #4 01-05-2010, 02:34 PM

Another tweak... This version seems to be a bit more forgiving when it comes to handling different RewriteBase values.

Code:

RewriteCond %{THE_REQUEST} [:<>"]
RewriteCond %{SCRIPT_FILENAME} !400\.html$ 
RewriteRule .* - [R=400,L]

AnthonyCea · #5 01-05-2010, 02:42 PM

Thanks for the update, I don't know if my technical administrator has had a chance to look at your code yet, but I will shoot him another link and see if he will comment.

iamoso · #6 01-05-2010, 05:20 PM

Looks good to me, but what real-life purpose does it serve?

Also, you can read more about reserved characters at the The Internet Engineering Task Force website.

AnthonyCea · #7 01-05-2010, 05:21 PM

He came up with it as a response to some of these URL parameter attacks conducted by hackers.

Specifically URL's like this one:

http://www.forumpostersunion.com/sho...&postcount=230

http://www.forumpostersunion.com/sho...&postcount=231

iamoso · #8 01-05-2010, 05:25 PM

Depending on the bot, they may be sending the information encoded and with that it is quite possible that vBulletin decodes the information for display. Just my thoughts.

AnthonyCea · #9 01-05-2010, 05:26 PM

See the links in my prior post that were added, then you will see why he created this code, to stop some of these odd RFI attacker URL's these hackers are running.

miqrogroove · #10 01-06-2010, 03:46 AM

Quote:

Originally Posted by geekcoders

Depending on the bot, they may be sending the information encoded and with that it is quite possible that vBulletin decodes the information for display. Just my thoughts.

Correct, this code is not intended to defend XSS vulnerability.

What I have discovered over the past year, and AnthonyCea seems to have noticed this as well, is that the vast majority of URL hackers are trying to exploit bugs that only respond to unencoded parameters. When these attacks show up in the logs, they look like a long series of malformed requests that contain ridiculous paths and queries.

As you can imagine, the most profitable, and therefore most desirable URL hack is the one that causes the attacker's URL to show up in the page. So there tends to be a lot of

Code:

http://yoursite.com/http://mysite.com/

type of crap ending up in the logs.

The nice thing about my little mod_rewrite trick is that it stops these guys dead in their tracks with no other metrics needed.

miqrogroove · #11 01-15-2010, 10:28 PM

Here's another tweak to optimize performance:

Code:

# Prevent unnecessary re-writing of ErrorDocuments
RewriteCond %{SCRIPT_FILENAME} \d{3}\.html$
RewriteRule .* - [L]

# Invalid Use of Restricted or Excluded Characters in Request-URI
RewriteCond %{THE_REQUEST} [:<>"]
RewriteRule .* - [R=400,L]

AnthonyCea · #12 01-16-2010, 06:53 AM

Thank you for the code update, blocking hackers is job number 1 for any server administrator now days.