Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly.
RewriteEngine on
#SQL Injection Protection --Read More www.cybercrime.gov
#Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly
RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC]
#Ignore images and this would be last rule --if the condition matched
RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC]
#Ignore CSS or JS files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC]
#Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC]
RewriteRule ^$ index.cfm [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]
Blog
Recent Entries
Ortus June 2024 Newsletter!
Welcome to the latest edition of the Ortus Newsletter! This month, we're excited to bring you highlights from our sessions at CFCamp and Open South Code, as well as a sneak peek into our upcoming events. Discover the latest developments in BoxLang, our dynamic new JVM language, and catch up on all the insightful presentations by our expert team. Let's dive in!
BoxLang June 2024 Newsletter!
We're thrilled to bring you the latest updates and exciting developments from the world of BoxLang. This month, we're diving into the newest beta release, introducing a new podcast series, showcasing innovative integrations, and sharing insights from recent events. Whether you're a seasoned developer or just getting started, there's something here for everyone to explore and enjoy.
BoxLang 1.0.0 Beta 3 Launched
We are thrilled to announce the release of BoxLang 1.0.0-Beta 3! This latest beta version is packed with exciting new features and essential bug fixes, including robust encryption functionality, enhanced Java interoperability, and more efficient event handling. Key highlights include the introduction of query caching capabilities, seamless coercion of Java Single Abstract Method (SAM) interfaces from BoxLang functions, and support for virtual thread executors. So, let’s dive into the details of what’s new in BoxLang 1.0.0-Beta 3 and how you can start leveraging these updates today!
Add Your Comment
(2)
Aug 08, 2008 19:34:48 UTC
by O?uz Demirkap?
Great work! Thanks :)
Sep 16, 2008 08:47:54 UTC
by Mark Mazelin
Luis: Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule? Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...