Blocking requests for 'in-and-out' URLs

Forum Moderators: coopster

Message Too Old, No Replies

Blocking requests for 'in-and-out' URLs

How do I detect these kinds of requests?

StupidScript

8:18 pm on Jan 25, 2006 (gmt 0)

A 'visitor' has been requesting URLs like:

example.com/directory1/../page.html

Both

directory1

and

page.html

exist, and the request resolves to:

example.com/page.html

I'm seeking a method for detecting requests with 'directory manipulation' in them so I can drop those 'visitors'.

PHP 4.3.2, Apache 1.3.27

TIA

Salsa

12:38 am on Jan 26, 2006 (gmt 0)

I would think there are ready-made tools for this, but I've never used them. Off the top of my head, you could make an array of your legitimate directories, and test requests against that. Then you could log a violator's IP, give them a nice warning, and eventually block their IP or redirect them to somewhere no one wants to go. To reduce load, you might first do the above check on only visitors who have no referrer...

Someone else will probably have a better idea, but that's my initial thought.

Salsa
_________

jatar_k

5:47 pm on Jan 26, 2006 (gmt 0)

my best thought is to handle it via apache with a rewrite maybe?

StupidScript

9:42 pm on Jan 26, 2006 (gmt 0)

I think you're right again, jatar_k. By the time it gets to PHP, the path has already been ironed out.

I have this nagging feeling that I've seen some kind of exploit that uses this technique, but I can't remember what the risk is. I've banned the IP these requests come from, but I can't visualize what harm those types of requests might cause.

Thanks for the comments.

jatar_k

4:04 am on Jan 27, 2006 (gmt 0)

there was an exploit, can't remember for what package but it would allow them to move above the site root and execute

prolly phpbb, hehe