Score:1

Server

restrict access to a specific URL with .htaccess

mikef0x

7/25/23, 6:59 PM

Hello i am running server with xenforo. i would like to know how can i restrict url from .htaccess.

Url is : https://mywebiste.com/index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfToken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json

there is sql injection so it think just blocking it would fix it.

i tried doing something like this:

RewriteEngine On
RewriteRule ^index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfTo
ken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json - [F]

and with $ at the end:

RewriteEngine On
RewriteRule ^index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfTo
ken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json$ - [F]

What am i doing wrong?

0 + 0

linux

sql

.htaccess

Score:0

Server

Varrah

7/25/23, 7:21 PM

The solution you are trying to implement will only block the URL you typed in. Changing this URL in any way, e.g. swapping two of the GET params, or adding extra GET params (even irrelevant ones), or adding hash-tag params would render the request different to Apache and overcome your protection.

Instead modify your index.php to properly handle the request and safely work with user input (such as GET requests), giving HTTP403 Unauthorized in case anything suspicious comes in.

0 + 0

mikef0x

7/25/23, 7:35 PM

thanks for the answer, but i'm using xenforo and i dont have experience with php so it is hard for me to do it.

Score:0

Server

MrWhite

7/25/23, 7:18 PM

The RewriteRule directive matches against the URL-path only. To match the query string you would need an additional RewriteCond (condition) directive that matches against the QUERY_STRING server variable.

For example, to block that specific URL:

RewriteCond %{QUERY_STRING} =members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfToken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json
RewriteRule ^index\.php$ - [F]

The = prefix on the CondPattern (2nd argument to the RewriteCond directive) makes it a lexicographic string comparison (exact match), not a regex, so no need to escape special regex meta characters.

However, this URL is very specific, would it not be preferable to block URLs that (don't) match a certain pattern? Although if you are already sufficiently validating the URL param values in your server-side script then blocking specific URLs like this should not be necessary.

0 + 0

mikef0x

7/25/23, 7:27 PM

Thanks for the answer, how can i block urls that dont math a certain pattern?

MrWhite

7/25/23, 7:32 PM

@mikef0x Use a regex. It depends what "certain pattern" you do/don't want to match.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: restrict access to a specific URL with .htaccess

TH: จำกัดการเข้าถึง URL เฉพาะด้วย .htaccess

RO: restricționați accesul la o anumită adresă URL cu .htaccess

RU: ограничить доступ к определенному URL-адресу с помощью .htaccess

VI: hạn chế quyền truy cập vào một URL cụ thể với .htaccess

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.