Blog

Luis Majano

October 15, 2008

Spread the word


Share your thoughts

Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly. RewriteEngine on #SQL Injection Protection --Read More www.cybercrime.gov #Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC] RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC] RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC] RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC] RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC] RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC] RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC] #Ignore images and this would be last rule --if the condition matched RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC] #Ignore CSS or JS files and this would be last rule --if the condition matched RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC] #Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC] RewriteRule ^$ index.cfm [QSA] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]

Add Your Comment

(2)

Aug 08, 2008 19:34:48 UTC

by O?uz Demirkap?

Great work! Thanks :)

Sep 16, 2008 08:47:54 UTC

by Mark Mazelin

Luis: Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule? Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...

Recent Entries

BoxLang 1.0.0 Beta 5 Launched

BoxLang 1.0.0 Beta 5 Launched

We are pleased to announce the release of BoxLang 1.0.0-Beta 5! This latest beta version includes improvements and essential bug fixes.

What is BoxLang?

BoxLang is a modern dynamic JVM language that can be deployed on multiple runtimes: operating system (Windows/Mac/*nix/Embedded), web server, lambda, iOS, android, web assembly, and more. BoxLang combines many features from different progr

Luis Majano
Luis Majano
July 12, 2024
Explore Into the Box 2024 on CFCast!

Explore Into the Box 2024 on CFCast!

Did you miss our unique Into the Box 2024 event? This year's conference featured notable product updates, incredible new tools, and numerous tips and tricks from industry experts. If you attended Into the Box, you can review the series on demand for free. Those who missed it can purchase the entire series for just $299 and gain full access to video recordings and live sessions. The series will be available to CFCast Paid subscribers until October 30th, 2024.

Maria Jose Herrera
Maria Jose Herrera
July 11, 2024
Rest API Workshop before Adobe CFSummit 2024!

Rest API Workshop before Adobe CFSummit 2024!

Building a REST API for the Modern Developer!

Get ready to elevate your skills at our exclusive 2-day workshop in Las Vegas, Nevada, just before the Adobe CFSummit 2024! This hands-on workshop is your gateway to mastering modern REST API development using ColdBox and other modern tools.

Maria Jose Herrera
Maria Jose Herrera
July 08, 2024