WebApp Sec mailing list archives
RE: rewrite rule for apache
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Wed, 6 Sep 2006 09:29:30 -0500
-----Original Message----- From: bituman [mailto:bituman () enerla net] I want to protect a directory, better to say its contents from people downloading it, if the are not coming from a specified page. Now, i understand, that the following code redirect *vicodin.* to a standard error page.
This shouldn't be thought of as a "protection", but more like a search engine interference, or anti-leeching mechanism. Since there are a myriad of ways someone could forge the REFERER field of the HTTP Header...
RewriteEngine on RewriteCond %{HTTP_REFERER} ^(http://)?(www\.)?.*(-|.)vicodin(-|.).*$ [NC,OR] < ...lots of other rules go here...> RewriteRule .* - [F,L] What rewrite rules should i use if i want users from index.php?option=login to access the content and everyone else to redirected to the standard error page? Is it even possible to use get style params in the referer field?
Yeah, it's just a regex. You can Google TONS of docs on this pretty quickly. Here's an example (I haven't tested, YMMV) if you wanted to verify the REFERER field for an URL param and then lacking that param, rewrite the request URI based upon conditions like file extension (brackets commented): /*IfModule mod_rewrite.c*/ RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?index.php(\?)option=login [NC] RewriteCond %{REQUEST_URI} !^/avatar/leech.gif [NC] RewriteRule \.(gif|jpg|jpeg|png|bmp|swf)$ http://www.anachronic.com/images/avatar/leech.gif [R,NC] /*/IfModule*/ 1. Turns on 2. Catches blank referer 3. Catches your URL param 4. Ignores custom error URI 5. Rewrites URI based upon specific content (extensions) requested You could also add frame-busting code here, or many other things, all of which you should find pretty quickly with our friend Google. Arian J. Evans Software Security Person +1.913.378.3571 [mobile] "See? That was nothing. But that's how it always begins. Very small." -Egg Shen ------------------------------------------------------------------------- Sponsored by: Watchfire As web applications become increasingly complex, tremendous amounts of sensitive data - personal, medical and financial - are exchanged, and stored. Consumers expect and demand security for this information. This whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download "Automated Scanning or Manual Penetration Testing?" today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- rewrite rule for apache bituman (Aug 31)
- RE: rewrite rule for apache Arian J. Evans (Sep 06)