Re: URLScan for IIS

From: James M. Truxon (coyote@AVATARSYN.COM)
Date: 11/04/01


Message-ID:  <9D0975844A864E4C9E06B0B2D9C33CF3044308@asgaard1.avatarsyn.com>
Date:         Sun, 4 Nov 2001 13:09:02 -0500
From: "James M. Truxon" <coyote@AVATARSYN.COM>
Subject:      Re: URLScan for IIS
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


>Then I tried to just access the default web page, /, on my server
(default
>web page is http://www.servername.com/ without any trailing filename).
It
>was rejected. I looked in the log file, and this is what I saw:
>
>[Thu, Nov 01 2001 - 08:31:53] Client at 172.24.20.100: URL contains
>extension '(null)', which is not specifically allowed. Request will be
>rejected. Raw URL='/'

>This was not right. How on earth can a file have a null extension? I
took
>a moment to laugh at the expense of some poor programmer, then set
forth
>looking for a work-around. This package really has no documentation
other
>than the comments in the default INI file, and Microsoft's Knowledge
Base
>has almost nothing in it pertaining to this package. So, I was reduced
to
>trial and error. After several attempts, the fix for my
[AllowExtensions]
>section now looks like this:

>[AllowExtensions]

>;
>; Extensions listed here are commonly used on a typical IIS server.
>;
>; Note that these entries are effective if "UseAllowExtensions=1"
>; is set in the [Options] section above.
>;

>.asp
>.htm
>.html
>.txt
>.jpg
>.jpeg
>.gif
>./

>The last line, ./, is what made the null file extension messages go
away,
>and now allows my server to use the [AllowExtensions] properly.

this workaround for allowing default documents didn't actually work for
me, nor did a slew of other incarnations and combinations of [Options]
settings along with the "UseAllowExtensions=1" setting.

        have tried:
                empty "[DenyUrlSequences]" section
                all permutations of :
                        NormalizeUrlBeforeScan = [1|0]
                        VerifyNormalization = [1|0]
                        AllowHighBitCharacters = [1|0]
                        AllowDotInPath = [1|0]
                        AllowLateScanning = [1|0]
                tried various [AllowExtensions] entries
                        ./
                        .
                        .(null)
                        ./.
                        .\
                        .\.
                        .[alt-0-0]
                        /
                application parent paths = [enabled | disabled]

and with each combination, the URL was still discarded by URLScan with
the "URL contains extension '(null)'" message. i'm a little befuddled.
are there multiple release versions of URLScan?

James Truxon
coyote@avatarsyn.com
p: 419.243.7445
f: 419.243.7556
Avatar Syndicate.



Relevant Pages

  • Re: URLscan problem
    ... I did indeed restart the IIS server after ... I took a look at the URLscan log files and found my ... >URLscan seems to be causing a problem with public folder ...
    (microsoft.public.inetserver.iis.security)
  • RE: W3SVC, SMTP, IISAdmin services stopping..hacking?
    ... That SEARCH request is indicative of an attempt to exploit the ... of URLScan blocks SEARCH requests such as this one. ... Internet Services Manager -> right click on your server name -> Properties ... does contain a number of other very important security fixes for IIS. ...
    (microsoft.public.inetserver.iis.security)
  • Re: VS .NET & SDK vs. IIS LockDown & URLScan
    ... The Web Server Has Been Locked Down and Is Blocking the DEBUG Verb ... Stepping into a Web application or XML Web service failed because the IIS ... URLScan is a security tool that works in conjunction with the IIS Lockdown ...
    (microsoft.public.inetserver.iis.security)
  • Re: Trend C/S/M SMB on SBS2003
    ... INFO: Using URLScan on IIS ... > Since Trend Micro uses .exe to execute CGI, ... > I don't like the idea of allowing the extension ".exe" to run on my web ...
    (microsoft.public.inetserver.iis)
  • Re: Trend C/S/M SMB on SBS2003
    ... INFO: Using URLScan on IIS ... > Since Trend Micro uses .exe to execute CGI, ... > I don't like the idea of allowing the extension ".exe" to run on my web ...
    (microsoft.public.windows.server.sbs)