October 20th, 2020
Preventing remote file include attacks with mod rewrite
I have seen many attempted rfi attacks and almost all of these are basically the same. PHPfreaks has seen thousands of these attacks and most have a url somewhere in the query string. The good news is that we can use a simple rewrite to prevent these attacks.
Here we check our query string for http://, https:// or ftp://
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*)
If you are using this rewrite within a .htaccess all you have left is to deny access from all matching requests.
RewriteRule ^(.+)$ - [F]
If you have access to your vhost you could also log those requests like this:
RewriteEngine on RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) RewriteRule ^(.+)$ - [env=rfi:true] CustomLog /path/to/logs/rfi.log combined env=rfi
You will also have to deny access from requests that have been caught by the above rewrite
Deny from env=rfi
1. Daniel Egeberg on May 28, 2020 3:11:40 AM
2. Corbin H on May 28, 2020 4:35:59 AM
3. Daniel Egeberg on May 28, 2020 5:03:21 AM
4. Wasim Ilyas on May 28, 2020 6:38:09 AM
5. Daniel Egeberg on May 28, 2020 6:46:15 AM
6. Thomas Johnson on May 28, 2020 8:24:38 AM
7. Corbin H on May 28, 2020 11:28:17 AM
8. Daniel Egeberg on May 28, 2020 11:34:33 AM
9. Corbin H on May 28, 2020 11:38:42 AM