ColdFusion Muse

ISAPIRewrite or Mod_Rewrite Rules

Mark Kruger August 8, 2008 4:29 PM Coldfusion Security Comments (11)

For those of you interested in stopping the SQLi attack before it even hits your ColdFusion server, you might try these rewrite rules are from the CF-Linux email list (run by House of Fusion). They were provided by list member Mike Chytracek and forwarded to me by Linux CFG Ryan Stille. These rules are for for use with Helicon's ISAPI Rewrite filter, but with very little tweaking these rules aught to work for Apache Mod_rewrite as well.


# Helicon ISAPI_Rewrite configuration file
# Version 3.1.0.54
RewriteEngine On
RewriteCompatibility2 On
RepeatLimit 20
RewriteBase
# unsupported directive: [ISAPI_Rewrite]
# CacheClockRate 300
RewriteRule ^.*DECLARE%20.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*NVARCHAR.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*sp_password.*$ http://www.cybercrime.gov/
[NC] RewriteRule ^.*%20xp_.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*EXEC\(@.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*%20@.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^METHOD$ OPTIONS

Please note that these rules will actually redirect the request to the governments cybercrime website. That's going to freak a few folks out if you end up with any fals positives :)

  • Share:

11 Comments

  • Matt's Gravatar
    Posted By
    Matt | 8/8/08 2:58 PM
    How about on IIS?
  • Matt's Gravatar
    Posted By
    Matt | 8/8/08 3:08 PM
    I really should have read it first before I posted. I just saw Linux and ignored the rest. My bad.
  • Brett S.'s Gravatar
    Posted By
    Brett S. | 8/8/08 3:34 PM
    We redirect them back to REMOTE_ADDR ;)
  • mark kruger's Gravatar
    Posted By
    mark kruger | 8/8/08 3:55 PM
    @Brett,

    Ooh! I like it! That's tasteful without being gaudy.

    -mark
  • Brett S's Gravatar
    Posted By
    Brett S | 8/8/08 3:55 PM
    Also, I believe you would want to use [I,R] instead of [NC] to redirect them to the CyberCrime site.
  • Brett S's Gravatar
    Posted By
    Brett S | 8/8/08 4:00 PM
    Actually now that I look closer, I'm not sure of [NC] vs [I,R]. I the rule set is for Helicon's Filter (per the comments).

    We use Ionic ISAPI rewrite http://www.codeplex.com/IIRF and it is definitely [I,R]

    Sorry for any confusion, and thanks for the post, I added a couple of the rules to our server that we were not using.
  • simon's Gravatar
    Posted By
    simon | 8/8/08 11:22 PM
    Can anyone explain how exactly to do this in apache 2+?
  • Brad Wood's Gravatar
    Posted By
    Brad Wood | 8/9/08 3:36 AM
    LOL, you're going to start getting calls from the CIA wanting to know why half of their traffic is all redirects from your site...

    As much as I don't like filtering due to false positives and an over-grown sense of security, I do think the web server is the place to do it. Why even waste the CF thread, if Apache or IIS can handle the problem? I'm likley to mess around with a few rules, but I don't want to leave them in place permanently assuming these specific attacks will eventually go away. The next big attack may use an entirely different method which will require a brand new rewrite rule...
  • sb's Gravatar
    Posted By
    sb | 8/11/08 2:51 PM
    How do I tweak this to get it to work with mod rewrite?
  • Matt Smith's Gravatar
    Posted By
    Matt Smith | 8/23/08 10:46 AM
    The suggested ISAPIRewrite rules are helpful in detecting the current attack, but when tested against the HP Scrawlr (SQL injector and crawler testing tool), the rules, as currently written, fail the test. I haven't yet identified what needs to be added or changed. Anyone have any suggestions how to make the rules more robust?
  • jon's Gravatar
    Posted By
    jon | 8/28/08 1:07 PM
    any word on how to go about this type of thing with IIS?