Removing multiple "/"s --> URL Injection Attack

Fix it!!

Postby broncozr » Sun Sep 21, 2008 5:57 pm

Yes, register_globals is off.

The attacks most likely take advantage of register_globals, so as long as it's off you should be OK. In you logging script it should be very simple and you should not use relative paths (to the logging file, that's what the include_path URLs are trying to attack).


Sorry to be dense, but how do the include_path URLs take advantage of relative paths? I figured that the malicious URLs (text files) were just using my site's server as a resource to serve another site---i.e. to run malicious .php code?

I do have these set to "Off" in php.ini:

file_uploads = Off
allow_url_fopen = Off
allow_url_include = Off


Here is my mod_rewrite; I guess it would be clearer to say that I do a rewrite in .htaccess and a redirect in php. In addition to %{THE_REQUEST}, I also check %{REQUEST_URI} and %{QUERY_STRING} for these matches:

Options +FollowSymlinks

RewriteEngine on

RewriteCond %{THE_REQUEST} chdir|upload|include_path|hack|file|http://|ftp [NC,OR]
RewriteCond %{THE_REQUEST} paypal|config|myftp|include|txt [NC,OR]
RewriteCond %{THE_REQUEST} dll|apache|\.\.+|//+|%0a|%0d [NC]
RewriteRule (.*) http://mydomain.com/404.php?error_here=true

# SAW THESE ON ANOTHER FORUM AND PUT THEM IN JUST IN CASE.......
RewriteCond %{REQUEST_METHOD} ^CONNECT$ [OR]
RewriteCond %{REQUEST_METHOD} ^SEARCH$
RewriteRule ^.*$ %N [F]


When the URL is rewritten to http://mydomain.com/404.php?error_here=true , that URL is redirected (using php) to http://mydomain.com/404.php.

I do the two redirects (rewrites is maybe a better word) to make sure it shows up in the raw access log (maybe overkill). If I remember correctly, it was not showing up in the log without the extra redirect---it was just rewriting the URL in the user's browser.
broncozr
 
Posts: 8
Joined: Mon Sep 15, 2008 1:03 pm

Postby richardk » Tue Sep 23, 2008 12:24 pm

Sorry to be dense, but how do the include_path URLs take advantage of relative paths?

When you include('relative/path.php') PHP adds the include path to find the file (there are usually a few). If you set the include path to http://example.com/? it would request http://example.com/?relative/path.php.

allow_url_fopen = Off
allow_url_include = Off

Then include_path with a URL wouldn't work.

Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^(CONNECT|SEARCH)$ [NC]
RewriteRule .* - [F,L]

RewriteCond %{THE_REQUEST} chdir|upload|include_path|hack|file|http:// [NC,OR]
RewriteCond %{THE_REQUEST} paypal|config|myftp|include|txt [NC,OR]
RewriteCond %{THE_REQUEST} dll|apache|\.\.+|//+|%0a|%0d|ftp [NC]
RewriteRule .* http://mydomain.com/404.php?error_here=true [L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby broncozr » Tue Sep 23, 2008 6:29 pm

So far, they haven't exploited our site in a week! Keeping my fingers crossed!

Thanks again for all the info!!!!!
broncozr
 
Posts: 8
Joined: Mon Sep 15, 2008 1:03 pm

Postby broncozr » Tue Nov 17, 2009 12:35 pm

Hey Richard,

I wanted to thank you again for your help last year re: the attacks on our web site.

I was revisiting this issue, and I was wondering about accessing environmental variables set in .htaccess. I have started setting a cookie that collects the value of "THE_REQUEST", but I've noticed that some potential hackers do not allow cookies! Go figure. :D To get around that, I'm looking to capture the "THE_REQUEST" variable and put in in an environmental variable. Should I expect to have access to that variable on subsequent pages---i.e. pages to which .htaccess forwards/rewrites the original page request?

Here's what I'm looking to use:

Code: Select all
RewriteCond %{THE_REQUEST} badword1 badword2 badword3 [NC]
RewriteRule (.*) http://mydomain.com/404.php?hacked=true [E=INFO_THE_REQUEST:%{THE_REQUEST}]


In the 404.php file, I'm looking to capture that environmental variable, but I haven't been able to get my hands on it? I've printed off the $_SERVER and $_ENV PHP variables/arrays, but I'm not seeing the environmental variable from .htaccess show up?

Here's the 404.php code:
Code: Select all
echo "ALL Variables:\n";
print_r($_SERVER);

echo "ALL Env. Variables:\n";
print_r($_ENV);



Do I need to do something else in .htaccess to capture THE_REQUEST for use on subsequent pages?

Thanks for any suggestions.


Here's the apache documentation:
http://httpd.apache.org/docs/2.2/mod/mo ... ewriterule

'env|E=VAR:VAL' (set environment variable)
This forces an environment variable named VAR to be set to the value VAL, where VAL can contain regexp backreferences ($N and %N) which will be expanded. You can use this flag more than once, to set more than one variable. The variables can later be dereferenced in many situations, most commonly from within XSSI (via <!--#echo var="VAR"-->) or CGI ($ENV{'VAR'}). You can also dereference the variable in a later RewriteCond pattern, using %{ENV:VAR}. Use this to strip information from URLs, while maintaining a record of that information.
broncozr
 
Posts: 8
Joined: Mon Sep 15, 2008 1:03 pm

Previous

Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 7 guests

cron