Rule 420009: block certain uses of http URIs
Purpose
Prevent anonymous (= not authorized) users from POSTing working links (e.g. http://domain.tld/some/patch). Filters out almost all spammers that slipped through other rules, but also affects many legitimate users who want to post links. In other words: this rule has a high false-positive rate, thus should be used with care.
Looks for POSTs without trac_auth cookie, having the strings "http:/" or "https:/" in either the summary, description, comment or text form parameter.
Example
--700c060d-A-- [25/Apr/2007:13:29:31 +0200] N0TIo6wQKoYAAE4CT44AAABA XX.XX.XX.XX 51927 217.24.1.134 80 --700c060d-B-- POST /ticket/729 HTTP/1.0 Host: madwifi.org Connection: close Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Cookie: trac_session=68415932fdaad0850f17db9c; trac_form_token=d4efb9f193740e234ae09944 Content-Length: 372 --700c060d-C-- __FORM_TOKEN=d4efb9f193740e234ae09944&author=Gage%20&comment=I%20like%20this%21%20%5Burl%3Dhttp%3A%2F%2Fwww%2Edomain%2Etld%2Ftramadolp41%5Dbuy%20tramadol%5B%2Furl%5D%20%20%3Ca%20href%3D%22http%3A%2F%2Fwww%2Edomain%2Etld%2Ftramadolp41%22%3Ebuy%20tramadol%3C%2Fa%3E%20%20http%3A%2F%2Fwww%2Edomain%2Etld%2Ftramadolp41%20%20&action=leave&ts=1153379099&replyto=&cnum=4 --700c060d-F-- HTTP/1.1 403 Forbidden Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=UTF-8 --700c060d-H-- Message: Warning. Pattern match "^/(wiki/|ticket/|newticket|simpleticket).*$" at REQUEST_URI. [id "420099"] [rev "1"] [msg "Suspicious Post"] Message: Access denied with code 403 (phase 2). Pattern match "(http|https):/" at ARGS:comment. [id "420009"] [rev "1"] [msg "URLs disallowed for anonymous"] Action: Intercepted (phase 2) Stopwatch: 1177500571191459 168103 (137089* 137522 -) Producer: ModSecurity v2.1.0 (Apache 2.x) Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 mod_python/3.2.10 Python/2.4.4 WebApp-Info: "trac.madwifi" "-" "-" --700c060d-Z--
Protected handlers
- newticket
- simpleticket
- ticket
- attachment
See also
n/a
History
- rev:1
- Initial version.
