I guess I should add that it checks both the file path/URL, and the
query-string, for malicious whatnots.
The file path/URL is probably only needed if you're already using
rewrites. Otherwise you only need the ones with QUERY_STRING,
probably.
Also, I've commented out the "http:" rule, which you can use if people
are submitting those crappy spam URLs to you. I commented it out in
case folks actually pass URLs via URL, although I doubt many do (if
it's even legit for the RFC, which I doubt).
Yeah, that's it, I reckon.
--
By all means, marry. If you get a good wife, you'll become happy; if
you get a bad one, you'll become a philosopher.
Socrates
On Thu, Aug 7, 2008 at 6:38 PM, denstar wrote:
> I've cobbled together some stuff for apache that helps a good bit:
>
> Using mod_rewrite, you can at least prevent stuff from getting to CF.
> It still hits the webserver, but hey, better there than all the way to
> your appserver!
>
> Here's a modded version of some rewrites I found for IIS (MS people
> can find it on google, I didn't save the link, sorry!):
>
> RewriteRule .*NVARCHAR.* /security-violation.htm [NC]
> RewriteRule .*DECLARE.* /security-violation.htm [NC]
> #RewriteRule .*INSERT.* /security-violation.htm [NC]
> RewriteRule .*xp_.* /security-violation.htm [NC]
> RewriteRule [EMAIL PROTECTED] /security-violation.htm [NC]
> #RewriteRule .*';* /security-violation.htm [NC]
> RewriteRule .*EXEC\(@.* /security-violation.htm [NC]
> RewriteRule .*sp_password.* /security-violation.htm [NC]
> #RewriteRule /security-violation.htm /security-violation.cfm [L]
>
> #RewriteCond %{QUERY_STRING} .*http:\/\/.* [NC]
> RewriteRule .* /security-violation.htm
> RewriteCond %{QUERY_STRING} .*sp_password.* [NC]
> RewriteRule .* /security-violation.htm
> RewriteCond %{QUERY_STRING} .*CAST\(.* [NC]
> RewriteRule .* /security-violation.htm
> RewriteCond %{QUERY_STRING} .*EXEC\(@.* [NC]
> RewriteRule .* /security-violation.htm
> RewriteCond %{QUERY_STRING} .*DECLARE.* [NC]
> RewriteRule .* /security-violation.htm
>
> RewriteRule /security-violation.htm /security-violation.cfm [P,L]
>
> It basically re-directs all them to a CF file called
> /security-violation.cfm, for tracking/auditing whatnots, if you so
> choose.
>
> You can also change the last line to this:
> RewriteRule /security-violation.htm /security-violation.cfm [F]
>
> or something similar (that was off the cuff) to have it respond with
> "forbidden" instead.
>
> You can slap that all in one file (security.rewrites.conf or
> something) and then Include it in you virtual hosts, or wherever.
>
> The strings are just perl-flavored regular expressions, it's easy to
> add/remove stuff if it's too hard or too loose.
>
> Dunno if it will help others, but it's sure helped us out, so here it is.
>
> HIH!
>
> --
> By all means, marry. If you get a good wife, you'll become happy; if
> you get a bad one, you'll become a philosopher.
> Socrates
>
> On Thu, Aug 7, 2008 at 7:56 AM, Kris Jones wrote:
>> I'd like to know how I can stop the requests from ever hitting the
>> web-server.
>>
>> Can anyone point me at a resource for a firewall solution? I've seen
>> some isapi filter solutions, but they all seem to just clean the
>> querystring and then forward the request on -- so it's still hitting
>> CF. I'd really like to stop it before we get to the web-server at all
>> (let alone the CF application server).
>>
>> Cheers,
>> Kris
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310463
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
