Score:1

restrict access to a specific URL with .htaccess

vn flag

Hello i am running server with xenforo. i would like to know how can i restrict url from .htaccess.

Url is : https://mywebiste.com/index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfToken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json

there is sql injection so it think just blocking it would fix it.

i tried doing something like this:

RewriteEngine On
RewriteRule ^index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfTo
ken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json - [F]

and with $ at the end:

RewriteEngine On
RewriteRule ^index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfTo
ken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json$ - [F]

What am i doing wrong?

Score:0
in flag

The solution you are trying to implement will only block the URL you typed in. Changing this URL in any way, e.g. swapping two of the GET params, or adding extra GET params (even irrelevant ones), or adding hash-tag params would render the request different to Apache and overcome your protection.

Instead modify your index.php to properly handle the request and safely work with user input (such as GET requests), giving HTTP403 Unauthorized in case anything suspicious comes in.

mikef0x avatar
vn flag
thanks for the answer, but i'm using xenforo and i dont have experience with php so it is hard for me to do it.
Score:0
kz flag

The RewriteRule directive matches against the URL-path only. To match the query string you would need an additional RewriteCond (condition) directive that matches against the QUERY_STRING server variable.

For example, to block that specific URL:

RewriteCond %{QUERY_STRING} =members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfToken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json
RewriteRule ^index\.php$ - [F]

The = prefix on the CondPattern (2nd argument to the RewriteCond directive) makes it a lexicographic string comparison (exact match), not a regex, so no need to escape special regex meta characters.

However, this URL is very specific, would it not be preferable to block URLs that (don't) match a certain pattern? Although if you are already sufficiently validating the URL param values in your server-side script then blocking specific URLs like this should not be necessary.

mikef0x avatar
vn flag
Thanks for the answer, how can i block urls that dont math a certain pattern?
kz flag
@mikef0x Use a regex. It depends what "certain pattern" you do/don't want to match.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.