Re: [users@httpd] RedirectMatch

Tue, 20 Dec 2005 09:10:35 -0800 

Hi,
mod_security is interesting, it definitely looks like the right idea for this guy's situation, but it is kind of funny in a way, if you need mod_security you are already somewhat screwed, but it is nice to have around.. :) 

Eric


At 07:32 AM 12/20/2005, Joshua Slive wrote:

On 12/19/05, Ed Sawicki <[EMAIL PROTECTED]> wrote:> I'm administering an 
Apache server that runs PHP-based> Webapps that I have not written and 
cannot change. These> Webapps are being successfully attacked. Here's an> 
example from the log:>> 66.57.121.127 - - [19/Dec/2005:19:50:46 -0800] 
"GET> /phplive/image_tracker.php?l=Bob&x=1&deptid=0&page=> 
http%3A//www.pcbpro.com/pcb-quote.php%3FWT.mc_id%3D> 
psepi00003%26referrer%3Dhttp%253a%252f%252fz-quest.com> 
%252fgo.php%253fidUser%253d36%2526z%253dasaphczzhihd> 
%2526idXmlFeed%253d37%2526idKeyword%253d145%2526> 
idSearchStatus%253d2%2526st%253d%2526url%253duggc> 
%253a%252f%252fgkpyvpx.rcvybg.pbz%252fpyvpx.nfck> 
%2540aoavhy%2540x%253dryrpgebavpf%2540aoaphy%2540o> 
%253d700%2540aoaphy%2540c%253drcvybg%2540aoaphy> 
%2540f%253dmdhrfgz%2540aoaphy%2540cbf%253d1%2540aoaphy> 
%2540g%253d24%2540aoaphy%2540xvq%253dQP8N5Q43-Q517-40O0-> 
87Q9-P281S6QN0458%2540aoaphy%2540rc%253d255%2540aoaphy> 
%2540fvq%253d815O3P57-3PS6-41S0-80S9-N79084865R39%2540> 
aoaphy%2540y%253duggc%253a%2540aoamhy%25402S%2540aoamhy> 
%25402Sjjj.cpoceb.pbz%2540aoamhy%25402Scpo-dhbgr.cuc> 
%2540aoamhy%25403SJG.zp_vq%253dcfrcv00003%2526ts> 
%253danaihxzszxhdzahczmzh%2526rb%253daaaphfhpzf> 
%2526is%253d66%25252E57%25252E121%25252E127%2526> 
idDomain%253d0&unique=1135050643687 HTTP/1.1" 200 43>> In this example, 
I'd like to detect the string "go.php"> and redirect the request 
elsewhere. I've tried to> use RedirectMatch but nothing I've tried works.> 
Here's just one example of the many, many statements> I've tried:>> 
RedirectMatch   301 (.*)go\.php        http://127.0.0.1>> This is Apache 
2.0.46 with mod_alias loaded.
Ouch.  Very old apache version with very vulnerable php apps.  Youseem to 
be in a very bad situation.
Anyway, the mod_alias directives cannot act on the query string (thepart 
after the ?).  If you need that, you can do something like

RewriteEngine OnRewriteCond %{QUERY_STRING} go\.phpRewriteRule .* - [F]
You can also look at mod_security (external module).
Joshua.


Eric Frazier CTO
DM Contact Management
611-201 Discovery St.
Victoria BC Canada
office (250) 383-8267 ext 229
cell (250) 514-2889
[EMAIL PROTECTED]


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to