Block URI with /dev60cgi from external client_addr

I figured it out. I'm using the same logic as before, but now I'm searching for a different string (had to uses wireshark on a non-ssl server to figure this out)

 

 

when HTTP_REQUEST {

 

if { not [matchclass [IP::client_addr] equals $::approved_clients] } {

 

if {[HTTP::uri] contains "/fnd_icx_launch.runforms"} {

 

if { not [matchclass [HTTP::uri] contains $::approved_forms] } {

 

log local0. "URI requested by [IP::client_addr] blocked"

 

log local0. "URI requested = [HTTP::uri]"

 

HTTP::respond 200 content "ErrorError No Access to forms via external address"

 

HTTP::redirect "http://somewhere.com"

 

}

 

}

 

}

 

}

 

 

 

Here's the key string

 

 

GET /pls/dbname/fnd_icx_launch.runforms?ICX_TICKET=&resp_app=CSFCUST&resp_key=DRES_ASO_RESP&secgrp_key=STANDARD&start_func=DRECSFFEDBF&other_params= HTTP/1.1

 

Accept: */*

 

Accept-Language: en-us

 

Accept-Encoding: gzip, deflate

 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)

 

Host: hostname.domainname.com

 

Connection: Keep-Alive

 

Cookie: oracle.uix=0^^GMT-5:00^p; oracle.uix=0^^GMT-5:00^p; BIGipServerdbname_http_pool=2759328266.29215.0000; JServSessionIdroot=gs9z80d911.qRjIa34MsAXIngPAcBbPpx0LaBDJpAiHnwTyqAjNqQjM/AbJphCLbxiKa0--; dbserver_dbname=fFXMJKIYaHBAets8D7_X5Q0h:S

 

 

HTTP/1.0 302 Found

 

Date: Thu, 10 Apr 2008 22:25:45 GMT

 

Server: Oracle HTTP Server Powered by Apache/1.3.19

 

Location: http://hostname.domainname.com/dev60cgi/f60cgi?lang=US&env=NLS_LANG='AMERICAN_AMERICA.UTF8'+FORMS60_USER_DATE_FORMAT='DD-MON-RRRR'+FORMS60_USER_DATETIME_FORMAT='DD-MON-RRRR%20HH24%3AMI%3ASS'+NLS_DATE_LANGUAGE='AMERICAN'+NLS_SORT='BINARY'+NLS_NUMERIC_CHARACTERS='.,'&form_params=+config='dbserver_dbname'+icx_ticket='.A5yJBWacW3TQ7ScPm3ElNw..'+resp='CSFCUST%2FDRES_ASO_RESP'+secgrp='STANDARD'+start_func='DRECSFFEDBF'&encoding=UTF-8

 

Content-Type: text/plain