Forum Moderators: phranque
I have had the following in htaccess:
# Forbid if blank (or "-") Referer *and* UA
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]
Now I am trying out a licensing system, the licensing code in the customers php script is falling foul of the above i.e it is being rejected.
the licensing software is trying to access my database to make a validation check.
does anyone know how I can make the customers script not be caught by the above?
Sorry, I am still swatting up on some of this, I really would be grateful of if you need more info let me know.
Cheers!
On several sites I have that are subject to a lot of junk accesses, I disallow access if *both* user-agent and referrer are blank, or if either are equal to "-". That's an important point: The use of a user-agent or referrer containing a hyphen is a deliberate attempt to bypass site security measures that disallow blank referrers or user-agents. A hyphen is used because Apache log files will normally contain a hyphen to indicate a blank HTTP request header for either of these values. This masquerade allows the intruder to bypass the blank-check, yet show up in the logs as if these headers were actually blank. Therefore, it should be treated as more serious than a simple blank referrer and/or user-agent:
# Forbid if blank *and* UA
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* - [F]
# Forbid if *faked* blank referer *or* UA
RewriteCond %{HTTP_REFERER} ^-$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$
RewriteRule .* - [F]
Jim
The above did work ok.
I'll see about changing the script headers to accommodate the rest.
Thank you Jim.
Of course the initial problem was working out why the licensing system was not working normally in the first place. I expect the rest will be easy.
--Steve
Jim
