On Fri, Jun 26, 2015 at 1:36 PM, Kurtis Rader <kra...@skepticism.us> wrote:

> My question for James would be how do you know the query string has the
> parameters in that exact order? Unless the query string has been
> hand-crafted you cannot assume the parameters will appear in any specific
> order. Also, your pattern doesn't handle the case where the parameters are
> separated by semicolons (which is a legal alternative to ampersand). In
> general matching against QUERY_STRING is very difficult to do in a robust
> manner.
>

P.S., Here is an example from my config of how to robustly check for the
presence of a specific query string parameter. In this case I'm looking for
a reference to the WordPress "Revolution Slider" plugin which has had
numerous security flaws and I will never install on my site as a
consequence.

# Malware loves to probe for revslider plugin vulnerabilities. Since we
don't
# use it (and never will given its history of vulnerabilities) blacklist
# references to it. This is related to the blacklisted-path rules above.
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/revslider/ [NC,OR]
RewriteCond %{QUERY_STRING} (?:^|&|;)action=revslider_ajax_action(?:&|;|$)
[NC,OR]
RewriteCond %{QUERY_STRING} (?:^|&|;)action=revslider_show_image(?:&|;|$)
[NC]
RewriteRule ^ /blocked.php [END,E=error-notes:probe-for-revslider-plugin]


-- 
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank

Reply via email to