'How to block a URL using .htaccess?
I'm trying to block this link
http://192.168.1.123/index.php?page=php://filter/convert.base64-encode/resource=setupreset
from my application using .htaccess file but I'm getting an internal server error.
This is how I'm doing it
RewriteEngine On
RewriteRule http://192.168.1.123/index.php?page=php://filter/convert.base64-encode/resource=setupreset$ - [F]
<Files "setupreset.php">
Deny from all
</Files>
<Files "\.inc$">
Deny from all
</Files
What am I doing wrong?
Solution 1:[1]
Don't use .htaccess to prevent LFI, but validate parameter page in PHP.
And if it has to be, capture all page=php:// ...else you'd miss some of them.
Whitelisting is defintely more effective than blacklisting in this case.
Solution 2:[2]
in RewriteRule, you have to start relative path, not uri.
RewriteEngine On
RewriteCond %{QUERY_STRING} page=php://filter/convert.base64-encode/resource=setupreset
RewriteRule .* - [F]
<Files "setupreset.php">
Deny from all
</Files>
<Files "\.inc$">
Deny from all
</Files
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Martin Zeitler |
| Solution 2 |