[geeklog-devel] Blocking those inclusion attempts

Dirk Haun dirk at haun-online.de
Sat Dec 15 05:22:32 EST 2007

Does anyone see a problem with a .htaccess rule like this?

  RewriteEngine On
  RewriteCond %{THE_REQUEST} http:
  RewriteRule .* - [L,F]

This would block all requests that contain "http:" in the URL. It's
aimed at the script kiddies' standard inclusion attempts, e.g. - - [15/Dec/2007:05:15:21 -0500] "GET /forum/viewtopic.php?
showtopic=http://laudanskisucksss.chat.ru/placeholder/image? HTTP/1.1"
403 26 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR

Blocking the libwww-perl user agent used to help against most of these,
but the majority are now coming with faked UA strings of popular
browsers, so I had to come up with something else.

It doesn't block the search for URLs, since the colon is escaped there:


So that's fine. Are there any other legit requests that anyone can think
of that contain "http:"?

bye, Dirk


More information about the geeklog-devel mailing list