Jump to content
Sign in to follow this  
Taipo

Hardcore Security for osCommerce HTACCESS

Recommended Posts

Hardcore Security for osCommerce HTACCESS

 

If you are familiar with editing .htaccess code then have a look through the example in the htaccess_code.txt.

 

To use it, copy and paste the entire contents appending to the end of your current .htaccess file in the root catalog shop directory.

 

If any 500 internal errors occur, try commenting out parts of the code. If all else fails, just be sure to use this addon here ( http://addons.oscommerce.com/info/8283 ) as it does what Hardcore Security for HTACCESS does plus more

 

If you are using both the ip address banning and email notification and notice that you are receiving dozens of notifications per hour then using the code examples in this htaccess file will help reduce the load on your server considerably.

 

Finally a warning about htaccess filtering.

 

This is hardcore request filtering and 'can' prevent legitimate requests from completing in odd circumstances for example where a site is heavily modified with custom code not a part of the osCommerce codeset.

 

Secondly, Hardcore Security for HTACCESS is about as good as it gets (or at least, it attempts to be...) with htaccess hardening in terms of blocking the usual hack attempts, although like any addon security script, it cannot block them all.

 

But what it does do is reach the limits of the potential of what can be achieved in blocking hack attempts using directives in htaccess.

 

Only add this to your root directory's .htaccess file if you are experienced in .htaccess code or else have an expert look at it and implement it on your behalf.

 

While this method is not as thorough as osC_Sec ( http://addons.oscommerce.com/info/8283 ) in blocking attack attempts, blocking a majority of attacks however before the php is executed is far less server intensive so therefore will at least lighten the load on your webserver if it receives a lot of attention from attackers.

 

Unlike other .htaccess addons, this one does not ban ip addresses. It does not have to because a blocked attempt is a blocked attempt.

 

I am leaving this addon open for others to develop as it needs work.

 

see it here: http://addons.oscommerce.com/info/8296

 

Taipo

rohepotae@gmail.com


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Here is the working code: ver 1.0.1

 

##########	Hardcore Security for osCommerce HTACCESS v1.0.1	###########
########## AUTHOR: TE TAIPO - rohepotae@gmail.com ###########
##			See readme.txt for instructions	 ###########

Options +SymLinksIfOwnerMatch

# disable the server signature
ServerSignature off

# set the server administrator email
SetEnv SERVER_ADMIN default@yourdomain.com

# ~~~~ START OF FILTERING ~~~~~ #

# secure htaccess and other files

<FilesMatch "(\.htaccess|\.htpasswd)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# add whatever configuration files here that are hosted on your server
# that you want blocked
<FilesMatch "^(php\.ini|php5\.ini)$">
Order allow,deny
Deny from all
</FilesMatch>

# disable access to the osCommerce config.php  
<Files ~ "includes/configure.php$">
deny from all  
</Files>

# disable access to the osCommercce admin config.php  
<Files ~ "admin/includes/configure.php$">
deny from all  
</Files>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# server request method
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS) [OR]

# osCommerce 2.2x
RewriteCond %{THE_REQUEST} ^.*\.php/login\.php.*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*login.php\?action\=backupnow.*$ [NC,OR]

# _REQUEST
RewriteCond %{THE_REQUEST} \?\ HTTP/1. [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/1. [NC,OR]
RewriteCond %{THE_REQUEST} %20HTTP/1. [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (showimg=|cookies=|passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (file_get_contents\(|setcookie\() [NC,OR]
RewriteCond %{QUERY_STRING} (\,0x3a\,|unescape\(|fromcharcode|pwtoken_get|php_uname|passthru\() [NC,OR]
RewriteCond %{QUERY_STRING} (eval\%28|eval\%2528|eval\(|base64_(en|de)code[^(]*\([^)]*\)|base64_encode.*\(.*\)) [NC,OR]
RewriteCond %{QUERY_STRING} (JHs\=|replace\(|return\%20clk|boot\.ini|php\/password_for|announce\?info_hash) [NC,OR]
RewriteCond %{QUERY_STRING} (\_START\_|\=alert\(|mysql\_query|\.\.\/cmd|rush\=|EXTRACTVALUE\(|phpinfo\() [NC,OR]
RewriteCond %{QUERY_STRING} (\/frameset|\$\_SESSION|\$\_REQUEST|\$HTTP\_|mosConfig\_|inurl\:|\/iframe|onload\=) [NC,OR]
RewriteCond %{THE_REQUEST} (allow_url_fopen|\%23include\+\<|get_defined_vars\(|\%22\'\%2f|error_reporting\(0\)) [NC,OR]
RewriteCond %{THE_REQUEST} (fwrite\(|waitfor\%20delay|shell_exec|gzinflate\(|prompt\(|php_value\%20auto) [NC,OR]
RewriteCond %{THE_REQUEST} (onmouseover|onmousedown|ct\(this) [NC,OR]
RewriteCond %{THE_REQUEST} (ftp\:\/\/|1\=1\-\-|current\_user\(\)|\%3Cform|sha1\(|self\/environ) [NC,OR]
RewriteCond %{THE_REQUEST} (\<\%3Fphp|\%\%|1\+and\+1|\/iframe|\$\_GET|document\.cookie|onload\%3d|onunload\%3d) [NC,OR]
RewriteCond %{THE_REQUEST} (\%00|hex\_ent|ob\_starting|PHP\_SELF|etc\/passwd|shell\_exec|data\:\/\/|\$\_SERVER|\$\_POST) [NC,OR]
RewriteCond %{THE_REQUEST} (\%bf\%5c\%27|\%bf\%27|\%ef\%bb\%bf|\%8c\%5c|\%a3\%27) [NC,OR]
RewriteCond %{THE_REQUEST} (\=0\^\() [NC,OR]
RewriteCond %{THE_REQUEST} (\@\@datadir|\@\@version|version\(\)|localhost|\}\)\%3B|Set\-Cookie|\%253C\%2Fscript\%253E) [NC,OR]
RewriteCond %{THE_REQUEST} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# http referer
RewriteCond %{HTTP_REFERER} (<|>|'|%0A|%0D|%00) [NC,OR]

# mysql related
RewriteCond %{QUERY_STRING} (null\,null|outfile|load_file) [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (order).*(by).*(\%[0-9A-Z]{0,2}) [NC,OR]
RewriteCond %{QUERY_STRING} (waitfor|delay|shutdown).*(nowait) [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR]

# cookies
RewriteCond %{HTTP_COOKIE} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR]
RewriteCond %{HTTP_COOKIE} (null\,null|outfile) [NC,OR]
RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR]

# LFI and session hijacking
RewriteCond %{QUERY_STRING} \=(\.\./\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} \=(\.\.//\./?)+ [OR]
RewriteCond %{QUERY_STRING} \=(\.\.\\\.\./?)+ [OR]
RewriteCond %{QUERY_STRING} \=(\.\.\\\\\./?)+ [OR]
RewriteCond %{QUERY_STRING} \/tmp\/sess_ [NC,OR]
RewriteCond %{QUERY_STRING} php:\/\/filter\/read=convert\.base64-(en|de)code\/ [NC,OR]

# if expose_php is set to on
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]

RewriteRule ^(.*)$ - [F,L]
</IfModule>

# ~~~~ END OF FILTERING ~~~~~ #
# OPTIONAL EXTRAS
# Uncomment and use.
# If Error 500 encountered then comment out

# disable directory browsing, if error 500 encountered then comment out
# Options All -Indexes

# prevent folder listing, if error 500 encountered then comment out
# IndexIgnore *

# php_value session.use_trans_sid 0

# auto keep the config file read only
# chmod configure.php files 444

# turn off magic_quotes_gpc
# <ifmodule mod_php4.c>
# php_flag magic_quotes_gpc off
# </ifmodule>

########## End of Hardcore Security for osCommerce HTACCESS v1.0.1 #################

 

Like I said, it needs work.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo,

 

From my post on the OSC SEC Thread where you responded with :

 

 

Off the top of my head it would look something like this in your admin .htaccess file.

order deny,allow
deny from all
allow from 123.123

 

If I know the range of IPs that my ISP allocates, could I then use something like:

 

order deny,allow
deny from all
allow from 123.101
allow from 123.102
allow from 123.103
etc.

 

This would then block access attempts to my Admin from everyone not using the same ISP as me, and the other security enhancements such as OSC SEC would deal with any from the same ISP as me?

 

Many Thanks again

Edited by Mort-lemur

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Ok,

 

Added the code as above to my admin/.htaccess file and all seems well - ie. I can still access the admin on the IPs provided by my ISP - maybe this should be added to the .htaccess hardening modification as an optional extra for those like me with dynamic IP addresses?

 

Many Thanks

Edited by Mort-lemur

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

I would agree with adding something like that in as an addition to the admin htaccess if you had a static IP. The problem with adding something that has a relative security value is that people that do not understand the implications of such a thing can unintentionally put too much dependency on that method as a means of protection. We saw this with the implimentation of an admin login system for osCommerce where a good majority of newer users did not put .htaccess protection on their admin directories because there was another method that was less time intensive to install. When the admin login bypass was discovered and let loose into the wild, the damage was far more extensive than it should have been if users had stayed with the tried and true apache basic authentication by way of the htpasswd method.

 

So in keeping with the idea of hardening a system, the best practice should be promoted where directory/folder protection should be used as it is with osC 2.3.1 where there are both htaccess login protection as well as a script based login method. My only dislike of the 2.3.1 method is the fact that users end up using the same username and password for both login layers which completely defeats the purpose of using htaccess basic authentication.

 

While it is far more convenient to only log in once, it is not asking too much in my opinion to have two separated layers of login access by having different credentials for both layers. All shop owners of real shops can have up to 3 layers of 'login' access levels to their shops, a padlock and bolt with a pull down security roller door, a key entry for the actual door and an alarm system which they have to unlock to get in and relock at the end of every day.

 

What has happened in the past when admin authentication was added was new and upgraded shop owners, figuratively speaking, left the lock and bolt and pull down roller door off.

 

But I digress, unfortunately the safest method of using that method above is to go and purchase a static IP from your internet service provider. That is the real pull down roller door, osC_Sec working with 2.2 range of osCommerce sites is like the real door locking system, and SiteMonitor is like your alarm system should all of that fail.

 

That will protect you from 99.9% of unauthorized access attempts which is about as good as it can get and that is really the standard that needs to be kept for this particular layer of security.

 

I would still encourage you to try and get a static IP first if you intend to use htaccess in that manner. Most ISPs are shifting back toward static ips now that governments are heading toward using legislation to catch and penalize people who download music and films via file sharing.

 

But in your case, if you are not able to add the proper htaccess basic user authentication (folder/directory protection), and are unable to get a static IP, then what you have done is better than nothing.

 

Changing the name of your admin directory (if you haven't already done so) would be another way of further securing your site.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Thanks for the reply.

Im almost paranoid over security, as my stores are my living and pay the Bills!

 

In my suggestion I am just trying to add additional layers. Of course I have changed the admin name, have protected it via . htaccess password have installed many many security mods and keep OSC SEC up to date as it develops, and check the sitemonitor results daily - so I am not suggesting relying solely on the IP .htaccess method.

 

Many Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Yes I can certainly see that your intentions are good, and for your conditions you are doing what you can to add every possible layer of security in so as to reduce the chances of your site being attacked to the lowest degree possible.

 

In my experience though, adding this method into an addon as I mentioned above, can lead to people depending on it more than one should, no matter what you write in the readme instructions.

 

For example, even though I put in the readme when I first released this alongside osC_Sec, that this was only for those experienced with htaccess, and to basically dont use it unless you really know what you are doing, well, surprise surprise as soon as I released it, I started getting emails from people who obviously have no clue about htaccess, and were trying to install it asking what is htaccess and where do they add the file.

 

Same goes for that test feature I added into osC_Sec that I eventually took out, no matter how I tried to stipulate that this was merely for test purposes, many users still activated it.

 

You can see this too with the development of osC 3.x, people are still trying to install and use it live when it is only half complete.

 

It is possible more a psychological thing perhaps, post hack trauma perhaps...where people gobble up every possible security addon they can.

 

The security addons available fall into a couple of categories, 1) addons that patch the security hole as their primary purpose, 2) addons that cover general security issues thus reducing bandwidth and cpu consumption, 3) addons that patch what users thought were the security issues that were behind the site instrusions, before the real holes were discovered, 4) addons that make you feel better about your security but offer little or no added security and in some cases possibly less security.

 

So while there is a particular set of circumstances where the method you are using above may enhance your security just a little, my guess is from experience that the moment an addon writer adds that to an addon, it will be taken out of context and in fact lead to 'less' security, rather than more.

 

I hope that better explains the position I am trying to convey here.

 

So rather than the scatter gun approach of adding every security addon until you 'feel' safe, what I want to promote is that users understand what is good web script security and structure your security planning based on what really works, and therefore move away a little from those ideas that create the perception of security.

 

There is only one real layer of security and that responsibility lays with the code developers to use the most up to date secure coding methods out.

 

For everything else there are the following:

 

1) Keep your web applications up to date. That means using the latest version of your web script no matter the cost. It was one of the dilemmas I had to face when writing osC_Sec, knowing that it was going to encourage people to keep using out of date versions of osCommerce, the reality though was that people were still going to use the out of date versions no matter what due to the perception of security some of these other addons were giving users. Since no actual specific patch was released for the security hole. There are only 2 addons I know of that provide either a partial patch or the actual patch to the specific login issue.

 

2) Block attacks at the gate. Most users do not have access to the webserver configuration or for keeping it up to date with the latest server applications and extensions, so their first port of call is htaccess. Htaccess allows for a limited amount of security to be added by webspace users, because it cannot ascertain conditions, i.e. if something exists then do this or that. So what I am proposing above would probably be on the border of insanity when it comes to what htaccess should be used for. However I do not profess to be an expert in the htaccess field, so I am leaving that open for others to pick up on. There is a limit to this, and this addon probably goes over the limit at its current state.

 

3) Use tried and true methods of restricting access to directories. htaccess and htpasswd would be that method, others involving hiding admin directories.

 

4) Block attacks at the script level. Filtering the HTTP requests is not the most optimal use of server resources, but it beats the amount of CPU and data resources that are expended when virus code is exploiting or hammering your site. Reducing attack requests to a mere few bytes of data is the best use of server resources.

 

5) Monitoring the state of your files. SiteMonitor does a good job at this, I have not checked out the other addons. This again though is limited. For example if a server is hacked at a root level, one of the first things an attacker could do is delete SiteMonitor and any other emailer addons. But it does what can be done from an addon level. As do any of the addons.

 

As you can also see I have not focussed on things like file permissions which are still necessary, but to a lesser extent these days especially with the number of web hosts moving to configurations where the PHP script has owner level privaleges. For example, having to change the configure.php file to read only achieves what exactly if PHP has the permission to change the file permission back to something writable. No doubt it makes users feel safer having to change the file permissions to a perceived state of read only, but is about where that ends.

 

No matter the file permissions, if a local file read security hole exists, an attacker can still read the contents of any file including the read-only configure file to get the database username and password, which is also often the cpanel username and password where the web owner has not been careful enough. Where a local file or code include exists, an attacker can change the file permissions of any file to writable and prepend or append any code they wish to the site files as has happened in the last.

 

Same goes with some security holes which allow attackers to change directories therefore look up into directories that are not in the public_html area. At the end of the day those methods of hiding files have a more feel good affect to them rather than actual security enhancements. Again, the best security practice in coding and the use of htaccess/htpasswd restrictions are still the number one method of best security practices.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo

 

thanks for this addon.

 

I have a couple of questions, when you say "If any 500 internal errors occur, try commenting out parts of the code.", which parts exactly? how do you determine which parts would cause the 500 errors?

 

Also, regarding the rewritecond, my rewrite engine is already ON due to the url rewrite addon, so do I add your rewritecond codes AFTER my other rewritecond codes? I ask because I have read somewhere that you can't put this code twice in .htaccess. So I'm guessing I can't just paste the whole of your .htaccess to the bottom of mine. Hope I make sense.

RewriteEngine On
RewriteBase /

Edited by Biancoblu

~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

Hi Taipo

 

thanks for this addon.

 

I have a couple of questions, when you say "If any 500 internal errors occur, try commenting out parts of the code.", which parts exactly? how do you determine which parts would cause the 500 errors?

 

When it comes to that particular error, the webserver does not give you any indication what would be the cause. So your options are to go through each section and comment them out to see which is conflicting with your webserver configuration.

 

Also, regarding the rewritecond, my rewrite engine is already ON due to the url rewrite addon, so do I add your rewritecond codes AFTER my other rewritecond codes? I ask because I have read somewhere that you can't put this code twice in .htaccess. So I'm guessing I can't just paste the whole of your .htaccess to the bottom of mine.

 

Performance wise it if not the optimum to have more than one occurence of RewriteEngine On. But in most cases users are rewriting URLs, however in 99% of the time with this code where the filtering finds no conditions met the page loads as it should with no extra work done by the server.

 

Keep in mind the point of having this discussion up under this section is for the development of this script, which means it will have bugs in it since it has not been tested in the wild nor have we had any of the htaccess people come in here and pull it apart, which I hope will happen sooner than later.

 

I have had a bit of a play with it yesterday and found a number of issues and will be pasting an update in a day or so. But that gives you some idea about why it is not ready for production use yet.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Latest update

 

##########	Hardcore Security for osCommerce HTACCESS v1.0.2	###########

Options +SymLinksIfOwnerMatch

# disable the server signature
ServerSignature off

# set the server administrator email
SetEnv SERVER_ADMIN default@yourdomain.com

# ~~~~ START OF FILTERING ~~~~~ #

# secure htaccess and other files

<FilesMatch "(\.htaccess|\.htpasswd)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# add whatever configuration files here that are hosted on your server
# that you want blocked
<FilesMatch "^(php\.ini|php5\.ini)$">
Order allow,deny
Deny from all
</FilesMatch>

# disable access to the osCommerce config.php  
<Files ~ "includes/configure.php$">
deny from all  
</Files>

# disable access to the osCommercce admin config.php  
<Files ~ "admin/includes/configure.php$">
deny from all  
</Files>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# server request method
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS) [OR]

# osCommerce 2.2x
RewriteCond %{THE_REQUEST} ^.*\.php/login\.php.*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*login.php\?action\=backupnow.*$ [NC,OR]

# _REQUEST
RewriteCond %{THE_REQUEST} \?\ HTTP/1. [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/1. [NC,OR]
RewriteCond %{THE_REQUEST} %20HTTP/1. [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (showimg=|cookies=|passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (file_get_contents\(|setcookie\() [NC,OR]
RewriteCond %{QUERY_STRING} (\,0x3a\,|unescape\(|fromcharcode|pwtoken_get|php_uname|passthru\() [NC,OR]
RewriteCond %{QUERY_STRING} (eval\%28|eval\%2528|eval\(|base64_(en|de)code[^(]*\([^)]*\)|base64_encode.*\(.*\)) [NC,OR]
RewriteCond %{QUERY_STRING} (JHs\=|replace\(|return\%20clk|boot\.ini|php\/password_for|announce\?info_hash) [NC,OR]
RewriteCond %{QUERY_STRING} (\_START\_|\=alert\(|mysql\_query|\.\.\/cmd|rush\=|EXTRACTVALUE\(|phpinfo\() [NC,OR]
RewriteCond %{QUERY_STRING} (\/frameset|\$\_SESSION|\$\_REQUEST|\$HTTP\_|mosConfig\_|inurl\:|\/iframe|onload\=) [NC,OR]
RewriteCond %{THE_REQUEST} (allow_url_fopen|\%23include\+\<|get_defined_vars\(|\%22\'\%2f|error_reporting\(0\)) [NC,OR]
RewriteCond %{THE_REQUEST} (fwrite\(|waitfor\%20delay|shell_exec|gzinflate\(|prompt\(|php_value\%20auto) [NC,OR]
RewriteCond %{THE_REQUEST} (onmouseover|onmousedown|ct\(this) [NC,OR]
RewriteCond %{THE_REQUEST} (ftp\:\/\/|1\=1\-\-|current\_user\(\)|\%3Cform|sha1\(|self\/environ) [NC,OR]
RewriteCond %{THE_REQUEST} (\<\%3Fphp|\%\%|1\+and\+1|\/iframe|\$\_GET|document\.cookie|onload\%3d|onunload\%3d) [NC,OR]
RewriteCond %{THE_REQUEST} (\%00|hex\_ent|ob\_starting|PHP\_SELF|etc\/passwd|shell\_exec|data\:\/\/|\$\_SERVER|\$\_POST) [NC,OR]
RewriteCond %{THE_REQUEST} (\%bf\%5c\%27|\%bf\%27|\%ef\%bb\%bf|\%8c\%5c|\%a3\%27) [NC,OR]
RewriteCond %{THE_REQUEST} (\@\@datadir|\@\@version|version\(\)|localhost|\}\)\%3B|Set\-Cookie|\%253C\%2Fscript\%253E) [NC,OR]
RewriteCond %{THE_REQUEST} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# http referer
RewriteCond %{HTTP_REFERER} (<|>|'|%0A|%0D|%00) [NC,OR]

# mysql related
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (order).*(by).*(\%[0-9A-Z]{0,2}) [NC,OR]
RewriteCond %{QUERY_STRING} (waitfor|delay|shutdown).*(nowait) [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\(|extract\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(field\(|floor\(|format\(|from|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR]
RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR]

# cookies
RewriteCond %{HTTP_COOKIE} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR]
RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\(|extract\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(field\(|floor\(|format\(|from|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR]

# LFI and session hijacking
RewriteCond %{QUERY_STRING} \=(\.\./\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} \=(\.\.//\./?)+ [OR]
RewriteCond %{QUERY_STRING} \=(\.\.\\\.\./?)+ [OR]
RewriteCond %{QUERY_STRING} \=(\.\.\\\\\./?)+ [OR]
RewriteCond %{QUERY_STRING} \/tmp\/sess_ [NC,OR]
RewriteCond %{QUERY_STRING} php:\/\/filter\/read=convert\.base64-(en|de)code\/ [NC,OR]

# if expose_php is set to on
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]

RewriteRule ^(.*)$ - [F,L]
</IfModule>

# ~~~~ END OF FILTERING ~~~~~ #
# OPTIONAL EXTRAS
# Uncomment and use.
# If Error 500 encountered then comment out

# disable directory browsing, if error 500 encountered then comment out
# Options All -Indexes

# prevent folder listing, if error 500 encountered then comment out
# IndexIgnore *

# php_value session.use_trans_sid 0

# auto keep the config file read only
# chmod configure.php files 444

# turn off magic_quotes_gpc
# <ifmodule mod_php4.c>
# php_flag magic_quotes_gpc off
# </ifmodule>

########## End of Hardcore Security for osCommerce HTACCESS v1.0.2 #################


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

 

Keep in mind the point of having this discussion up under this section is for the development of this script, which means it will have bugs in it since it has not been tested in the wild nor have we had any of the htaccess people come in here and pull it apart, which I hope will happen sooner than later.

 

I have had a bit of a play with it yesterday and found a number of issues and will be pasting an update in a day or so. But that gives you some idea about why it is not ready for production use yet.

 

I see your point, I will first try it on my test server and see what happens. Anyway I think you're doing a terrific job so thanks for coming up with this .hataccess. :)


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

I found this contribution using osc-sec contribution. We have a very heavily modified cart, started as ms2.2, fully security updated, probably 100+ contibutions added with most rewritten to coexist, and now "integrating" some of the best of osC2.3.1

 

Your version 1, included in the osc-sec contribution cause a real problem with updating many of our admin pages. We use Admin Access with Level control, and have had to modify it as well as most contributions to work with it.

 

Many compliments on this lastes v1.0.2 you just posted. I tried it as written, and so far can find no problems on our catalog front end or in the admin areas. With all the code changes we have made, it is seldom that any contribution works right out of the box on our development site. Thanks for the great work. (a live setup using this version of your htaccess hardening is here: www.designerdogregistry.com)

 

George

Edited by Jan Zonjee

GEOTEX from Houston, TX

 

(George)

Share this post


Link to post
Share on other sites

I was doing some research on a project and Google brought me to this thread. I was looking at your .htaccess rules and I saw a syntax error and a repeated word.

 

This line I believe you made a syntax error. You meant to use | but you actually put }

RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR]

 

Also this word is repeated

 

information_schema

 

You could also eliminate the mutliple use of \(

 

I've fixed and optimized this section for you here:

 

Before:

# cookies
RewriteCond %{HTTP_COOKIE} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR]
RewriteCond %{HTTP_COOKIE} (null\,null|outfile) [NC,OR]
RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR]

 

After:

# cookies
RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(time|trim|truncate|ucase|unhex|upper|(_)?user||values|varchar|version|xor)\( [NC,OR]

 

A savings of 472 bytes. Sorry didn't mean to hijack your thread. :(

Share this post


Link to post
Share on other sites

I was doing some research on a project and Google brought me to this thread. I was looking at your .htaccess rules and I saw a syntax error and a repeated word.

 

This line I believe you made a syntax error. You meant to use | but you actually put }

RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR]

 

Also this word is repeated

 

information_schema

 

You could also eliminate the mutliple use of \(

 

I've fixed and optimized this section for you here:

 

Before:

# cookies
RewriteCond %{HTTP_COOKIE} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR]
RewriteCond %{HTTP_COOKIE} (null\,null|outfile) [NC,OR]
RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR]

 

After:

# cookies
RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(time|trim|truncate|ucase|unhex|upper|(_)?user||values|varchar|version|xor)\( [NC,OR]

 

A savings of 472 bytes. Sorry didn't mean to hijack your thread. :(

 

Seems like there's a problem with that last line. Older version of Apache don't like using an underscore after a pipe.

Here is the corrected version.

# Cookies
RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(time|trim|truncate|ucase|unhex|upper|(_?user)|values|varchar|version|xor)\( [NC,OR]

Share this post


Link to post
Share on other sites

I just remembered, you should never use the "everything atom" ".*" at the beginning or middle of a string and if it's at the end of a string it needs to be followed by an anchor "$"

 

 

The (.*) matches "everything" and then you confuse the RegEx parser by saying after "everything" there's some other stuff.

The parser then realises you didn't actually mean "everything" and it then has to do tens of thousands of "back off and retry" trial matches to find out what you actually wanted in there.

 

 

So this can be improved.

# Cookies
RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(time|trim|truncate|ucase|unhex|upper|(_?user)|values|varchar|version|xor)\( [NC,OR]

 

To this:

# cookies
RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR]
RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(time|trim|truncate|ucase|unhex|upper|(_?user)||values|varchar|version|xor)\( [NC,OR]

 

Using (([^/]+/)*) is basically the same, but is more specific and is not resource expensive.

Edited by MickeyRoush

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×