0

I'm trying to block this link

http://192.168.1.123/index.php?page=php://filter/convert.base64-encode/resource=setupreset

from my application using .htaccess file but I'm getting an internal server error.

This is how I'm doing it

RewriteEngine On RewriteRule http://192.168.1.123/index.php?page=php://filter/convert.base64-encode/resource=setupreset$ - [F] <Files "setupreset.php"> Deny from all </Files> <Files "\.inc$"> Deny from all </Files

What am I doing wrong?

Improve this question
1
  • You need to check your server's error log for the details of the "internal server error". Whilst the directive you've posted is not correct, it shouldn't result in a 500 error, unless mod_rewrite is not actually installed on your server. (Presumably the two <Files> blocks are existing directives and were "working" before adding the preceding rule?) Commented May 21, 2022 at 14:36

2 Answers 2

Reset to default
1

Don't use .htaccess to prevent LFI, but validate parameter page in PHP.
And if it has to be, capture all page=php:// ...else you'd miss some of them.
Whitelisting is defintely more effective than blacklisting in this case.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

thanks for pointing to them, i have updated the Answer
What I've meant is being explained here: highon.coffee/blog/lfi-cheat-sheet ...while the rewrite rule only captures one of them. mod_rewrite might not even be loaded into the server, when it throws HTTP500; would also require IfModule directive - and an error message with negated IfModule directive.
That's why I think that it's less effort to whitelist destinations in PHP, than to blacklist in .htaccess ...while both is possible. With MVC the rewrites look whole different anyway.
Yup, .htaccess, WAF ... are useless. This issue must be solved by fixing the backend code
It's also a performance bottleneck, when these checks run at every single HTTP request.
1

in RewriteRule, you have to start relative path, not uri.

 RewriteEngine On RewriteCond %{QUERY_STRING} page=php://filter/convert.base64-encode/resource=setupreset RewriteRule .* - [F] <Files "setupreset.php"> Deny from all </Files> <Files "\.inc$"> Deny from all </Files
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.