Denying URL-Includes but not for special domains

Fix it!!

Denying URL-Includes but not for special domains

Postby Tyvan » Wed May 07, 2008 4:09 am

Hi all,
im using 3 lines of rewriterules and conds to prevent include-attacks by external urls.

These 3 lines are as follows:

Code: Select all
RewriteCond %{QUERY_STRING} http[:%] [NC]
RewriteRule .* /---------http--------- [F,NC]
RewriteRule http: -------http-------- [F,NC]


These 3 lines result in total deny of all URLs having URLs in parameters.
But i need to allow that kinda URLs for some domains.

So one example would be to allow all kinda URL-includes for the domain "my-domain.com", but all the others should be denied.

How can i modify those 3 lines above to do this?
I just want to add those domains to these 3 lines to allow them, the rest should be denied.
Tyvan
 
Posts: 4
Joined: Wed May 07, 2008 4:03 am

Postby richardk » Wed May 07, 2008 2:40 pm

Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

# If it's not example.com.
RewriteCond %{HTTP_HOST} !^(www\.)?example\.com$ [NC]
# Check the URI and the query string.
RewriteCond %{REQUEST_URI}%{QUERY_STRING} http[:%] [NC]
RewriteRule .* - [F,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Not working

Postby Tyvan » Thu May 08, 2008 1:42 am

Thx for the code.

But its not working.

Every domain is working.
Tyvan
 
Posts: 4
Joined: Wed May 07, 2008 4:03 am

Postby Tyvan » Thu May 08, 2008 1:48 am

Ah, wait a second.

Thats wrong.

I dont want to check if the HTTP_HOST of the URL is not equal example.com.

I want to check ONLY the QUERY_STRING if it contains a domain which is not allowed.

So i mean:

This URL must be forbidden:
http://www.any-domain.com/index.php?ref ... xample.com

But the following URL must be allowed:
http://www.any-domain.com/index.php?ref ... domain.com

You see, that the HTTP_HOST is always any-domain.com. That domain doesnt matter. So HTTP_HOST do not need to be checked in HTACCESS. I only want to check for the domain in the parameters passed to my domain. If those parameters contain a domain which is not allowed by HTACCESS, then throw a FORBIDDEN.

Sorry, explained it wrong in my last posts.


So to explain it in Pseudo-Code:

IF "all domains in QUERY_STRING starting with http:// are not ('allowed-domain.com' OR 'any-other-allowed-domain.com') THEN
THROW FORBIDDEN;
ELSE
ALLOW URL;
Tyvan
 
Posts: 4
Joined: Wed May 07, 2008 4:03 am

Postby Tyvan » Fri May 09, 2008 10:25 am

SH*T, its so easy.

Just replace that http[:%] part from RewriteCond with !http://www.allowed-domain.com.

Thats it.
All domains in my query string are forbidden except allowed-domain.com.

:D
Tyvan
 
Posts: 4
Joined: Wed May 07, 2008 4:03 am

Postby richardk » Sun May 11, 2008 1:11 pm

For anyone else
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} !http://(allowed-domain\.com|any-other-allowed-domain\.com)/ [NC]
RewriteCond %{REQUEST_URI}%{QUERY_STRING} http[:%] [NC]
RewriteRule .* - [F,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 2 guests

cron