CODEWITHSUNDEEP
regexapache.htaccessmod-rewrite
Phill Healey
Phill Healey

Reputation: 3180

What does this [F] RewriteRule with multiple RewriteConds do?

I'm looking at ways to "harden" WordPress installations and recently came across some code to place in the site .htaccess file. However, it had no explanation as to what it does, and I'm trying to figure it out, but with little success.

The code / rule is:

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]

I can see this this comes into play when any of the pages in the first line are called, but beyond that I'm in the dark. What can I try next?

Upvotes: 0

Views: 621

Answers (1)

Mohammed Elhag
Mohammed Elhag

Reputation: 4302

The mentioned rules, in short, boost a security by blocking specific Requests as follow :

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]

The line above to exclude a URI start with any of these /(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/ from the next rules.

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]

This line above to prevent an request has more than two slashes // at the beginning of URI and actually that will prevent Path Equivalence https://cwe.mitre.org/data/definitions/50.html

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]

This above line to prevent a type of Cross-site Scripting (XSS) , there is example here http://cwe.mitre.org/data/definitions/79.html The following code displays a welcome message on a web page based on the HTTP GET username parameter:

$username = $_GET['username'];
echo '<div class="header"> Welcome, ' . $username . '</div>';

Because the parameter can be arbitrary, the url of the page could be modified so $username contains scripting syntax, such as:

http://trustedSite.example.com/welcome.php?username=<Script Language="Javascript">alert("You've been attacked!");</Script>

This results in a harmless alert dialogue popping up. 

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]

The above line will prevent a request coming with question marks twice like this ?? because of some cases this vulnerability may be exploited with a web browser , you can read more here https://www.securityfocus.com/bid/4876/exploit and here https://httpd.apache.org/docs/current/misc/security_tips.html

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]

The two lines above will prevent any request with given extensions like .dll or .htaccess etc..

RewriteRule .? - [F,NS,L]

The last line will causes the server to return a 403 Forbidden status code for all captured requests .

Upvotes: 2

Related Questions