restrict access to a specific URL with .htaccess

Question

Hello i am running server with xenforo. i would like to know how can i restrict url from .htaccess.

Url is : https://mywebiste.com/index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfToken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json

there is sql injection so it think just blocking it would fix it.

i tried doing something like this:

RewriteEngine On
RewriteRule ^index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfTo
ken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json - [F]

and with $ at the end:

RewriteEngine On
RewriteRule ^index.php?members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfTo
ken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json$ - [F]

What am i doing wrong?

score 0 · Accepted Answer · answered Mar 25 '22 at 19:18

The RewriteRule directive matches against the URL-path only. To match the query string you would need an additional RewriteCond (condition) directive that matches against the QUERY_STRING server variable.

For example, to block that specific URL:

RewriteCond %{QUERY_STRING} =members/find&q=oi%5Bp%5C&_xfRequestUri=%2Findex.php%3Fmembers%2F&_xfWithData=1&_xfToken=1648216864%2C89d40e7bf50a91b8a62f9fe448c5d1f3&_xfResponseType=json
RewriteRule ^index\.php$ - [F]

The = prefix on the CondPattern (2nd argument to the RewriteCond directive) makes it a lexicographic string comparison (exact match), not a regex, so no need to escape special regex meta characters.

However, this URL is very specific, would it not be preferable to block URLs that (don't) match a certain pattern? Although if you are already sufficiently validating the URL param values in your server-side script then blocking specific URLs like this should not be necessary.

Thanks for the answer, how can i block urls that dont math a certain pattern? — mikef0x, Mar 25 '22 at 19:27
@mikef0x Use a regex. It depends what "certain pattern" you do/don't want to match. — MrWhite, Mar 25 '22 at 19:32

score 0 · Answer 2 · answered Mar 25 '22 at 19:21

The solution you are trying to implement will only block the URL you typed in. Changing this URL in any way, e.g. swapping two of the GET params, or adding extra GET params (even irrelevant ones), or adding hash-tag params would render the request different to Apache and overcome your protection.

Instead modify your index.php to properly handle the request and safely work with user input (such as GET requests), giving HTTP403 Unauthorized in case anything suspicious comes in.

thanks for the answer, but i'm using xenforo and i dont have experience with php so it is hard for me to do it. — mikef0x, Mar 25 '22 at 19:35

restrict access to a specific URL with .htaccess

2 Answers2