Francys Posted February 27, 2010 Share Posted February 27, 2010 Hi all, Found a user in who's online in this url: http://www.<myshop.com>/<catalog folder name>/index.php/product-m-28?sort=../../../../../../../../../../../../../<rootfoldername>/passwd Obviously he is trying to insert a query (which is identified by ? symbol) I searched a little in google and found multiple options for this. Basically in my opinion and im not a specialist what needs to be done is simply block all and every queries that are made in browser that attempt to go outside the <catalog folder name> in terms of folders structure. This involves .htaccess right!? Ok i would like to start here the analysis of this situations... thanks in advance Link to comment Share on other sites More sharing options...
spooks Posted February 27, 2010 Share Posted February 27, 2010 How to secure your site: http://www.oscommerce.com/forums/index.php?showtopic=313323 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
MrPhil Posted February 27, 2010 Share Posted February 27, 2010 Adding the following to your .htaccess file might work: RewriteEngine On RewriteCond %{QUERY_STRING} \.\./\.\./ RewriteRule ^.* - [F] This should block any query string (after "?") with ../../ in it. If you have any legitimate queries like that, add another \.\./ or two. I can't promise it will work, but if it doesn't, just remove it. Changing QUERY_STRING to REQUEST_URI might deal with a wider range of hacks. Feel free to test it. Link to comment Share on other sites More sharing options...
Francys Posted February 28, 2010 Author Share Posted February 28, 2010 Adding the following to your .htaccess file might work: RewriteEngine On RewriteCond %{QUERY_STRING} \.\./\.\./ RewriteRule ^.* - [F] This should block any query string (after "?") with ../../ in it. If you have any legitimate queries like that, add another \.\./ or two. I can't promise it will work, but if it doesn't, just remove it. Changing QUERY_STRING to REQUEST_URI might deal with a wider range of hacks. Feel free to test it. WOW thanks for your feedback :> i will try to implement this. Nice to know there are people here so much helpfull . thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.