HTTP_ACCEPT and .HTACCESS

Forum Moderators: phranque

Message Too Old, No Replies

HTTP_ACCEPT and .HTACCESS

billg51

3:34 am on May 24, 2003 (gmt 0)

Hi.

I run a toplist and there is a way to cheat the application I use by putting 1 pixel img src's on a page, with the url of the img src point to a url, instead of an image.

Example:
img src="http://www.site.com/in.php?id=user"

Everytime the "image" is loaded, it sends a hit.

I am trying to block any hits coming from an img src code in .htaccess, but not having any luck. This is what my htaccess looks like that I was trying to get to work.

RewriteEngine on
RewriteCond %{HTTP_ACCEPT} image/*
RewriteRule ^/(.*) [site.com...] [L]

Am I going in the right direction, you think? Or is there another way you could think of to block this?

Thanks.

jeremy goodrich

2:34 am on May 27, 2003 (gmt 0)

Not sure how to do that myself, perhaps another member with more apache experience has an idea?

jdMorgan

3:19 am on May 27, 2003 (gmt 0)

billg51,

I can't speak to whether this will actually work - I've never tried it. The following corrections to your mod_rewrite code may help, though.


RewriteEngine on
RewriteCond %{HTTP_ACCEPT} image/
RewriteRule .* /index.php [L]

The problem is (I believe) that any browser will publish an accept header stating what kind of objects it can accept, not limited to what kind of object it is requesting. Therefore, the above may end up blocking any browser that can accept an image type object-- meaning almost all of them.

If you know what sites are exploiting this <img src> trick, you can block them by IP address or block referrals from those sites.

HTH,
Jim