httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Sawicki ...@alcpress.com>
Subject Re: [users@httpd] RedirectMatch
Date Tue, 20 Dec 2005 17:00:25 GMT
Joshua Slive wrote:
> On 12/19/05, Ed Sawicki <ed@alcpress.com> wrote:
> 
>>I'm administering an Apache server that runs PHP-based
>>Webapps that I have not written and cannot change. These
>>Webapps are being successfully attacked. Here's an
>>example from the log:
>>
>>66.57.121.127 - - [19/Dec/2005:19:50:46 -0800] "GET
>>/phplive/image_tracker.php?l=Bob&x=1&deptid=0&page=
>>http%3A//www.pcbpro.com/pcb-quote.php%3FWT.mc_id%3D
>>psepi00003%26referrer%3Dhttp%253a%252f%252fz-quest.com
>>%252fgo.php%253fidUser%253d36%2526z%253dasaphczzhihd
>>%2526idXmlFeed%253d37%2526idKeyword%253d145%2526
>>idSearchStatus%253d2%2526st%253d%2526url%253duggc
>>%253a%252f%252fgkpyvpx.rcvybg.pbz%252fpyvpx.nfck
>>%2540aoavhy%2540x%253dryrpgebavpf%2540aoaphy%2540o
>>%253d700%2540aoaphy%2540c%253drcvybg%2540aoaphy
>>%2540f%253dmdhrfgz%2540aoaphy%2540cbf%253d1%2540aoaphy
>>%2540g%253d24%2540aoaphy%2540xvq%253dQP8N5Q43-Q517-40O0-
>>87Q9-P281S6QN0458%2540aoaphy%2540rc%253d255%2540aoaphy
>>%2540fvq%253d815O3P57-3PS6-41S0-80S9-N79084865R39%2540
>>aoaphy%2540y%253duggc%253a%2540aoamhy%25402S%2540aoamhy
>>%25402Sjjj.cpoceb.pbz%2540aoamhy%25402Scpo-dhbgr.cuc
>>%2540aoamhy%25403SJG.zp_vq%253dcfrcv00003%2526ts
>>%253danaihxzszxhdzahczmzh%2526rb%253daaaphfhpzf
>>%2526is%253d66%25252E57%25252E121%25252E127%2526
>>idDomain%253d0&unique=1135050643687 HTTP/1.1" 200 43
>>
>>In this example, I'd like to detect the string "go.php"
>>and redirect the request elsewhere. I've tried to
>>use RedirectMatch but nothing I've tried works.
>>Here's just one example of the many, many statements
>>I've tried:
>>
>>RedirectMatch   301 (.*)go\.php        http://127.0.0.1
>>
>>This is Apache 2.0.46 with mod_alias loaded.
> 
> 
> Ouch.  Very old apache version with very vulnerable php apps.  You
> seem to be in a very bad situation.
> 
> Anyway, the mod_alias directives cannot act on the query string (the
> part after the ?).

Ahhh, I must have missed this in the documentation. Thanks.

Ed




   If you need that, you can do something like
> 
> RewriteEngine On
> RewriteCond %{QUERY_STRING} go\.php
> RewriteRule .* - [F]
> 
> You can also look at mod_security (external module).
> 
> Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message