Canonicalization of $uri with "/?.*" content

Server NGINX
1

The last security audit revealed the following:

V:Wed Apr 15 20:58:19 2015 - 200 for GET:
/?mod=node&nid=some_thing&op=view
V:Wed Apr 15 20:58:43 2015 - 200 for GET: /?Open
V:Wed Apr 15 20:58:43 2015 - 200 for GET: /?OpenServer
V:Wed Apr 15 20:59:16 2015 - 200 for GET: /?sql_debug=1
V:Wed Apr 15 20:59:40 2015 - 200 for GET:
/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
V:Wed Apr 15 20:59:40 2015 - 200 for GET:
/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:40 2015 - 200 for GET:
/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:40 2015 - 200 for GET:
/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
V:Wed Apr 15 20:59:43 2015 - 200 for GET: /?PageServices
V:Wed Apr 15 20:59:43 2015 - 200 for GET: /?wp-cs-dump
V:Wed Apr 15 21:03:06 2015 - 200 for GET: /?D=A
V:Wed Apr 15 21:04:58 2015 - 200 for GET:
/?_CONFIG[files][functions_page]=http://example.com/rfiinc.txt?
V:Wed Apr 15 21:08:00 2015 - 200 for GET: /?-s
V:Wed Apr 15 21:08:09 2015 - 200 for GET: /?q[]=x
V:Wed Apr 15 21:08:41 2015 - 200 for GET: /?sc_mode=edit
V:Wed Apr 15 21:09:30 2015 - 200 for GET: /?admin

In plain words, there is an infinite amount of $request_uri that returns
the
content of the canonical address.

You can test your own domain “example.com”:

canonical:
http://example.com/

unwanted variants:
http://example.com/?mod=node&nid=some_thing&op=view
http://example.com/?Open
http://example.com/?OpenServer

Is there an nginx parameter to normalize this type of $uri?

Posted at Nginx Forum:

2

On Thu, Apr 16, 2015 at 10:13:33AM -0400, 173279834462 wrote:

Hi there,

canonical:
http://example.com/

unwanted variants:
Example Domain
Example Domain
Example Domain

Is there an nginx parameter to normalize this type of $uri?

When I request Example Domain, what response do you want to
send me?

Does

==
location = / {
if ($is_args) { return 301 /; }
}

cause your right thing to happen?

f

Francis D. [email protected]

3

When I request Example Domain, what response do you want to send
me?

301 to /: this would do the canonicalization,

location = / { if ($is_args) { return 301 /; } }

404: this would correspond to reality,

location = / { if ($is_args) { return 404; } }

However, if one compiled nginx without the scripting engines, shouldn’t
it
return 404 by default,
instead of returning 200 while ignoring $uri’s content?

Posted at Nginx Forum:

4

On Fri, Apr 17, 2015 at 09:10:34AM -0400, 173279834462 wrote:

Hi there,

301 to /: this would do the canonicalization,

location = / { if ($is_args) { return 301 /; } }

404: this would correspond to reality,

location = / { if ($is_args) { return 404; } }

However, if one compiled nginx without the scripting engines, shouldn’t it
return 404 by default,
instead of returning 200 while ignoring $uri’s content?

I’d say “no”.

If you want your instance to care more about $query_string than the
default, you can configure it to, for example as above.

Cheers,

f

Francis D. [email protected]