Saying goodbye to the PHP pokers the easy way
If you have a public web site or a web app, you almost certainly have people trying drive-by PHP exploits against you whether or not your site shows any sign of using PHP. The people (or software) behind these don't care; they seem to operate by taking one of your URLs and slapping the page name (and sometimes query parameters) of a vulnerable bit of PHP, then seeing if it works. I see requests like:
GET /~cks/space/blog/linux/images/stories/food.php?rfPOST /~cks/space/blog/linux/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20POST /~cks/space/blog/linux//components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name=guys.php GET /~cks/space/blog/linux//components/com_jnews/includes/openflashchart/tmp-upload-images/guys.php?rf
If you have anything other than a static site, these requests are
at least annoying (in that they're forcing your code to run just
to give the attacker a 'no such URL' answer). If you log potential
security issues (such as odd
POST content-types or the like) they
can also make your logs nag at you. Recently I got irritated at
these people and decided to make them go away the easy way.
The easy way here is to have your web server handle refusing the requests instead of letting them go all the way to your actual app code. Front end web servers generally have highly developed and very CPU-efficient ways of doing this (exactly how varies with the web server), plus this means your app code won't be logging any errors because it's never going to see the requests in the first place. In my case this host runs Apache and so the simplest way is a RewriteRule:
RewriteRule ^.*\.php$ - [F,L]
No fuss, no muss, no CPU consumption from my Rube Goldberg stack, and no more log messages.
(Arguably this generates the wrong HTTP error code, if you think that matters, since it generates a 403 instead of the theoretically more correct 404.)
Of course you can only do this trick if you can guarantee that
you'll never use a URL ending in
.php. This isn't necessarily
something you can assert for a general use web program (cf), but it often is something you can say
about your particular site. It's certainly something I can say about
here; even though I theoretically could create a perfectly
valid URL ending in .php (although it wouldn't be a PHP page), I'm
never going to.
(And if I do, I can change or remove my RewriteRule.)