Blog

Luis Majano

October 15, 2008

Spread the word


Share your thoughts

Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly. RewriteEngine on #SQL Injection Protection --Read More www.cybercrime.gov #Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC] RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC] RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC] RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC] RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC] RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC] RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC] #Ignore images and this would be last rule --if the condition matched RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC] #Ignore CSS or JS files and this would be last rule --if the condition matched RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC] #Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC] RewriteRule ^$ index.cfm [QSA] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]

Add Your Comment

(2)

Aug 08, 2008 19:34:48 UTC

by O?uz Demirkap?

Great work! Thanks :)

Sep 16, 2008 08:47:54 UTC

by Mark Mazelin

Luis: Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule? Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...

Recent Entries

Elevate Your ColdBox Experience and Skills

Elevate Your ColdBox Experience and Skills

We're thrilled to announce a significant overhaul of our ColdBox training experience to ensure it's nothing short of extraordinary! We've listened closely to your feedback and made significant improvements geared towards transforming you into a ColdBox superhero. Learn What's New!

Maria Jose Herrera
Maria Jose Herrera
February 20, 2024
Ortus Redis Extension v3.3.0 Released!

Ortus Redis Extension v3.3.0 Released!

We are very excited to bring you another release for our Redis Lucee Extension. The most significant feature in this release is the addition of the `` and `redisLock{}` tag, which allows you perform a lock across all instances in a cluster.

Ortus Redis Extension v3.3.0 gives you greater control over concurrent modifications in a distributed environment, utilizing your distributed cache to prevent overlaps!

Jon Clausen
Jon Clausen
February 16, 2024
Introducing: 102 ColdBox HMVC Tips and Tricks

Introducing: 102 ColdBox HMVC Tips and Tricks

In this comprehensive guide, you'll discover a treasure trove of insights tailored to help you build sustainable ColdFusion applications using ColdBox HMVC. But that's not all – we've also included invaluable tips and tricks for companion libraries like CommandBox, WireBox, LogBox, CacheBox, and TestBox. Whether you are a beginner or a seasoned pro, you'll find something to elevate your skills and streamline your development process.

Maria Jose Herrera
Maria Jose Herrera
February 15, 2024