I'm trying to block this link

http://192.168.1.123/index.php?page=php://filter/convert.base64-encode/resource=setupreset

from my application using .htaccess file but I'm getting an internal server error.

This is how I'm doing it

RewriteEngine On
RewriteRule http://192.168.1.123/index.php?page=php://filter/convert.base64-encode/resource=setupreset$ - [F]

<Files "setupreset.php">  
  Deny from all
</Files>

<Files "\.inc$">  
  Deny from all
</Files

What am I doing wrong?

CodePudding user response：

Don't use .htaccess to prevent LFI, but validate parameter page in PHP.
And if it has to be, capture all page=php:// ...else you'd miss some of them.
Whitelisting is defintely more effective than blacklisting in this case.

CodePudding user response：

in RewriteRule, you have to start relative path, not uri.

RewriteEngine On
RewriteCond %{QUERY_STRING} page=php://filter/convert.base64-encode/resource=setupreset
RewriteRule .* - [F]

<Files "setupreset.php">  
  Deny from all
</Files>

<Files "\.inc$">  
  Deny from all
</Files