Remote file inclusion
8 Jun, 2008 Stephan
I first read about this form of remote file inclusion at osvdb.org, although this was about different software. I have found some interesting resources on the problem of remote file inclusion:
- Preventing remote file include attacks with mod rewrite
- Wikipedia
- Preventing PHP RFI with Apache's ReWriteRules
It is not that I am particularly vulnerable to this but it is a waste of resources to return a standard not found page, complete with images and CSS, knowing this is not a regular request. A more efficient solution would be to use mod_rewrite and return something less elaborate, just a blank page with a message, for example.
To force a Forbidden response:
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC]
RewriteRule ^(.+)$ - [F,L]
RewriteRule ^(.+)$ - [F,L]
To return something different:
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*) [NC]
RewriteRule ^(.+)$ /blank.html [L]
RewriteRule ^(.+)$ /blank.html [L]
Where blank.html could contain anything you want.