PHP Freaks - Print - Preventing remote file include attacks with mod rewrite

Tutorials

URL: http://www.phpfreaks.com/tutorial/preventing-remote-file-include-attacks-with-mod-rewrite

Print Date: Dec 4, 2024 3:18:39 AM

Preventing remote file include attacks with mod rewrite

by Thomas Johnson on May 27, 2008 7:52:29 PM

Rating: 5/5

Votes: 5

I have seen many attempted rfi attacks and almost all of these are basically the same. PHPfreaks has seen thousands of these attacks and most have a url somewhere in the query string. The good news is that we can use a simple rewrite to prevent these attacks.

Here we check our query string for http://, https:// or ftp://

RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*)

If you are using this rewrite within a .htaccess all you have left is to deny access from all matching requests.

RewriteRule ^(.+)$ - [F]

If you have access to your vhost you could also log those requests like this:

<IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*)
   RewriteRule ^(.+)$ - [env=rfi:true]
</IfModule>
CustomLog /path/to/logs/rfi.log combined env=rfi

You will also have to deny access from requests that have been caught by the above rewrite

Deny from env=rfi