I guess I should add that it checks both the file path/URL, and the query-string, for malicious whatnots.
The file path/URL is probably only needed if you're already using rewrites. Otherwise you only need the ones with QUERY_STRING, probably. Also, I've commented out the "http:" rule, which you can use if people are submitting those crappy spam URLs to you. I commented it out in case folks actually pass URLs via URL, although I doubt many do (if it's even legit for the RFC, which I doubt). Yeah, that's it, I reckon. -- By all means, marry. If you get a good wife, you'll become happy; if you get a bad one, you'll become a philosopher. Socrates On Thu, Aug 7, 2008 at 6:38 PM, denstar wrote: > I've cobbled together some stuff for apache that helps a good bit: > > Using mod_rewrite, you can at least prevent stuff from getting to CF. > It still hits the webserver, but hey, better there than all the way to > your appserver! > > Here's a modded version of some rewrites I found for IIS (MS people > can find it on google, I didn't save the link, sorry!): > > RewriteRule .*NVARCHAR.* /security-violation.htm [NC] > RewriteRule .*DECLARE.* /security-violation.htm [NC] > #RewriteRule .*INSERT.* /security-violation.htm [NC] > RewriteRule .*xp_.* /security-violation.htm [NC] > RewriteRule [EMAIL PROTECTED] /security-violation.htm [NC] > #RewriteRule .*';* /security-violation.htm [NC] > RewriteRule .*EXEC\(@.* /security-violation.htm [NC] > RewriteRule .*sp_password.* /security-violation.htm [NC] > #RewriteRule /security-violation.htm /security-violation.cfm [L] > > #RewriteCond %{QUERY_STRING} .*http:\/\/.* [NC] > RewriteRule .* /security-violation.htm > RewriteCond %{QUERY_STRING} .*sp_password.* [NC] > RewriteRule .* /security-violation.htm > RewriteCond %{QUERY_STRING} .*CAST\(.* [NC] > RewriteRule .* /security-violation.htm > RewriteCond %{QUERY_STRING} .*EXEC\(@.* [NC] > RewriteRule .* /security-violation.htm > RewriteCond %{QUERY_STRING} .*DECLARE.* [NC] > RewriteRule .* /security-violation.htm > > RewriteRule /security-violation.htm /security-violation.cfm [P,L] > > It basically re-directs all them to a CF file called > /security-violation.cfm, for tracking/auditing whatnots, if you so > choose. > > You can also change the last line to this: > RewriteRule /security-violation.htm /security-violation.cfm [F] > > or something similar (that was off the cuff) to have it respond with > "forbidden" instead. > > You can slap that all in one file (security.rewrites.conf or > something) and then Include it in you virtual hosts, or wherever. > > The strings are just perl-flavored regular expressions, it's easy to > add/remove stuff if it's too hard or too loose. > > Dunno if it will help others, but it's sure helped us out, so here it is. > > HIH! > > -- > By all means, marry. If you get a good wife, you'll become happy; if > you get a bad one, you'll become a philosopher. > Socrates > > On Thu, Aug 7, 2008 at 7:56 AM, Kris Jones wrote: >> I'd like to know how I can stop the requests from ever hitting the >> web-server. >> >> Can anyone point me at a resource for a firewall solution? I've seen >> some isapi filter solutions, but they all seem to just clean the >> querystring and then forward the request on -- so it's still hitting >> CF. I'd really like to stop it before we get to the web-server at all >> (let alone the CF application server). >> >> Cheers, >> Kris > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310463 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4