Mobile app version of vmapp.org
Login or Join

Login to follow query

More posts by @Margaret670

Login to post a comment!

2 Comments

Sorted by latest first Latest Oldest Best

 

@Harper822

This line:

<IfModule mod_rewrite.c>


Checks to see if mod_rewrite is installed in apache and if it isn't then anything between the above line and...

</IfModule>


is ignored.

This line:

RewriteCond %{QUERY_STRING} www.google.com/humans.txt? [NC]


checks to see if the URL contains www.google.com/humans.txt right after the question mark and the casing doesn't matter (because of NC). If there's a match, then the next line is executed...

RewriteRule .* - [F,L]


Which means if the URL is something like:
example.com/a/b/cde.asp?http://www.google.com/humans.txt

Then the user is denied access because of the F from the F,L flag and because the request matches the regex of .* which means match anything any number of times.

Apache doesn't even scan for files when it processes these rules that you show. That URL is probably something a hacker invented.

What I would do if I were you is to switch your links over to friendly URLs (urls that don't contain a query string attached to it) and redirect anyone trying to inject an anywhere in the URL to a failed page via these rules:

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (.*)http://(.*) [NC]
RewriteRule .* - [F,L]
</IfModule>

10% popularity Vote Up Vote Down

 

@Nimeshi995

It looks like that code was developed to stop bots probing humans.txt via query strings.


Not Blocked: example.com/humans.txt Blocked: example.com/?some_path=http://www.google.com/humans.txt?

There is plenty of online guides about blocking humans.txt additionally lots of websites explaining what does what, a lot of those rules in that block bad robots list you pasted is either old or just useless. Nasty bots don't announce themselves with there own unqine user agent. And increasing the size of your .htaccess can slow down your site slightly and even blocking bots uses bandwidth as its a request that can't be prevented.

I generally see a lot of people spending lots of time within .htaccess files while in a lot of cases its best spent doing security audits else where, such as file permissions etc.

10% popularity Vote Up Vote Down

Back to top | Use Dark Theme