That Apache rule is pretty much useless, it gives a false sense of security. It only blocks those exact strings. Someone could easily put a comment inside a keyword (ie. use "SEL/**/ECT" instead of "SELECT") and this would still be valid SQL, and wouldn't get blocked by that rule.
The best approach here is to do it at an application level. That is, make sure your application is not vulnerable to SQL injection. In the case of a PHP application, you should really be using prepared statements with PDO (or, at least, the MySQLi extension). These have been around for years, the old mysql extension (ie. mysql_query and its friends) have been deprecated for about 8 years now. Check out http://webdevrefinery.com/forums/topic/1272-your-mysql-code-sucks/. SQL injection is by far one of the easiest security problems to avoid, and newer applications should (by nature) not be vulnerable at all. To properly block this at a server level, you'd need something like mod_security that can use smarter techniques to recognise attack patterns. Unfortunately I don't think there's a Cherokee equivalent of this yet. Regards, - Daniel ----- Original Message ----- From: pub crawler <[email protected]> To: cherokee List <[email protected]> Cc: Sent: Monday, 10 October 2011 7:56 PM Subject: [Cherokee] Protecting Cherokee fronted sites from RefRef Looking for some collective thoughts here on how to shield sites fronted with Cherokee from Anonymous' RefRef tool. The anatomy of the tool oversimplified is that it posts to a URL on a website and sends along in the POST some javascript which pumps this data to MySQL: select benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f); What that does is runs the benchmark to convert the string 99999999999 times. One solution I've found elsewhere and is Apache specific is this: .htaccess RewriteEngine on RewriteCond %{QUERY_STRING} .*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC] RewriteRule .* - [R=406,L] Anyone know of or recommend how to convert this to Cherokee rules? _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
