Addition to prevent Joomla 0day or similar

[davcpas1234]

Opening this as an issue, rather that a PR as it's not a bad bot or referrer, rather a user-agent exploit, but could we add a "bad bot" to capture similar to this:

}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";s:54:\"eval(base64_decode($_POST[111]));JFactory::get();exit;\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}\xf0\x9d\x8c\x86

Maybe something like this:

RewriteCond %{HTTP_USER_AGENT} ^\W [OR]

[mitchellkrogza]

Thanks @davcpas1234 ^\W seems to give a good clean match and { shouldn't actually be in any domain strings. I will add this, can you test?

[mitchellkrogza]

@davcpas1234 added in d12edf0 can you please test.

[davcpas1234]

@mitchellkrogza I've tested, however appears that this exploit still gets around the check:

"GET / HTTP/1.1" 503 299 <URL> "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:4:\"\\0\\0\\0a\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:5:\"cache\";b:1;s:19:\"cache_name_function\";s:6:\"assert\";s:10:\"javascript\";i:9999;s:8:\"feed_url\";s:54:\"eval(base64_decode($_POST[111]));JFactory::get();exit;\";}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";i:1;}\xf0\x9d\x8c\x86" "-"
Fails and returns 503

"GET / HTTP/1.1" 403 299 <URL> "-" "}__test" "-"
Succeeds and returns 403

[mitchellkrogza]

Thanks for testing David @davcpas1234 we will have to run some more regex tests and try find a good catch for this.

[mitchellkrogza]

@davcpas1234 can you test this regex on your server?

https://regex101.com/r/euluSl/1

[davcpas1234]

Thanks @mitchellkrogza will update as soon as I can.

[davcpas1234]

Still no luck with the above @mitchellkrogza. Even with .*{.* my server is still generating a 503 Service Unavailable response, which I suppose is positive. Maybe that is stopping the 403 from being generated?