Blog

Luis Majano

October 15, 2008

Spread the word


Share your thoughts

Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly. RewriteEngine on #SQL Injection Protection --Read More www.cybercrime.gov #Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC] RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC] RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC] RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC] RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC] RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC] RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC] #Ignore images and this would be last rule --if the condition matched RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC] #Ignore CSS or JS files and this would be last rule --if the condition matched RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC] #Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC] RewriteRule ^$ index.cfm [QSA] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]

Add Your Comment

(2)

Aug 08, 2008 19:34:48 UTC

by O?uz Demirkap?

Great work! Thanks :)

Sep 16, 2008 08:47:54 UTC

by Mark Mazelin

Luis: Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule? Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...

Recent Entries

Into the Box 2024 Last Early Bird Days!

Into the Box 2024 Last Early Bird Days!

Time is ticking, with less than 60 days remaining until the excitement of Into the Box 2024 unfolds! Don't let this golden opportunity slip away; our exclusive Early Bird Pricing is here for a limited time only, available until March 31st. Why wait? Secure your seat now and take advantage of this steal!

Maria Jose Herrera
Maria Jose Herrera
March 20, 2024
Ortus February Newsletter 2024

Ortus February Newsletter 2024

Welcome to Ortus Solutions’ monthly roundup, where we're thrilled to showcase cutting-edge advancements, product updates, and exciting events! Join us as we delve into the latest innovations shaping the future of technology.

Maria Jose Herrera
Maria Jose Herrera
March 06, 2024
Unveiling the Future of CFML Development - 3rd Round of Sessions

Unveiling the Future of CFML Development - 3rd Round of Sessions

Welcome back to our journey into the future of CFML development! As excitement continues to build for Into the Box 2024, we're thrilled to bring you the latest updates on what promises to be a transformative event. Continuing our blog post series, let's delve deeper into the third wave of session releases and discover the key surprises awaiting attendees. Learn More

Maria Jose Herrera
Maria Jose Herrera
March 01, 2024