Re: URLScan for IIS
From: James M. Truxon (coyote@AVATARSYN.COM)Date: 11/04/01
- Previous message: James D. Stallard: "Re: Call to arms - INFORMATION ANARCHY"
- Maybe in reply to: Lester, Don: "URLScan for IIS"
- Next in thread: Mark Vivanco: "Re: URLScan for IIS"
- Reply: Mark Vivanco: "Re: URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <9D0975844A864E4C9E06B0B2D9C33CF3044308@asgaard1.avatarsyn.com> Date: Sun, 4 Nov 2001 13:09:02 -0500 From: "James M. Truxon" <coyote@AVATARSYN.COM> Subject: Re: URLScan for IIS To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
>Then I tried to just access the default web page, /, on my server
(default
>web page is http://www.servername.com/ without any trailing filename).
It
>was rejected. I looked in the log file, and this is what I saw:
>
>[Thu, Nov 01 2001 - 08:31:53] Client at 172.24.20.100: URL contains
>extension '(null)', which is not specifically allowed. Request will be
>rejected. Raw URL='/'
>This was not right. How on earth can a file have a null extension? I
took
>a moment to laugh at the expense of some poor programmer, then set
forth
>looking for a work-around. This package really has no documentation
other
>than the comments in the default INI file, and Microsoft's Knowledge
Base
>has almost nothing in it pertaining to this package. So, I was reduced
to
>trial and error. After several attempts, the fix for my
[AllowExtensions]
>section now looks like this:
>[AllowExtensions]
>;
>; Extensions listed here are commonly used on a typical IIS server.
>;
>; Note that these entries are effective if "UseAllowExtensions=1"
>; is set in the [Options] section above.
>;
>.asp
>.htm
>.html
>.txt
>.jpg
>.jpeg
>.gif
>./
>The last line, ./, is what made the null file extension messages go
away,
>and now allows my server to use the [AllowExtensions] properly.
this workaround for allowing default documents didn't actually work for
me, nor did a slew of other incarnations and combinations of [Options]
settings along with the "UseAllowExtensions=1" setting.
have tried:
empty "[DenyUrlSequences]" section
all permutations of :
NormalizeUrlBeforeScan = [1|0]
VerifyNormalization = [1|0]
AllowHighBitCharacters = [1|0]
AllowDotInPath = [1|0]
AllowLateScanning = [1|0]
tried various [AllowExtensions] entries
./
.
.(null)
./.
.\
.\.
.[alt-0-0]
/
application parent paths = [enabled | disabled]
and with each combination, the URL was still discarded by URLScan with
the "URL contains extension '(null)'" message. i'm a little befuddled.
are there multiple release versions of URLScan?
James Truxon
coyote@avatarsyn.com
p: 419.243.7445
f: 419.243.7556
Avatar Syndicate.
- Previous message: James D. Stallard: "Re: Call to arms - INFORMATION ANARCHY"
- Maybe in reply to: Lester, Don: "URLScan for IIS"
- Next in thread: Mark Vivanco: "Re: URLScan for IIS"
- Reply: Mark Vivanco: "Re: URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
