Re: URLScan for IIS
From: Mark Vivanco (mark@CHECKMEOUT.COM)Date: 11/04/01
- Previous message: David LeBlanc: "Re: Towards a responsible vulnerability process"
- In reply to: James M. Truxon: "Re: URLScan for IIS"
- Next in thread: Simon Jones: "Re: URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <003001c1657c$67bd64e0$9865fea9@WEB3> Date: Sun, 4 Nov 2001 17:02:33 -0500 From: Mark Vivanco <mark@CHECKMEOUT.COM> Subject: Re: URLScan for IIS To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
This is what my configuration file looks like and it allows for default
files (nulls)
[options]
UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else
use [DenyVerbs] section
UseAllowExtensions=0 ; if 1, use [AllowExtensions] section,
else use [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before
processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and reject
request if a change occurs
AllowHighBitCharacters=1 ; if 1, allow high bit (ie. UTF8 or MBCS)
characters in URL
AllowDotInPath=1 ; if 1, allow dots that are not file
extensions
RemoveServerHeader=0 ; if 1, remove "Server" header from
response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will
contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0 ; if 1, then UrlScan will load as a low
priority filter.
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=
[AllowVerbs]
;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
GET
HEAD
POST
;OPTIONS ; FrontPage Server Extensions requires OPTIONS. If you need to
enable
; it, uncomment the OPTIONS verb and set "AllowLateScanning=1"
in the
; [Options] section above. Additionally, after changing this
file and
; restarting the web service, you should go to the "ISAPI
Filters" tab
; for the server's properties in MMC and ensure that UrlScan is
listed
; lower than fpexedll.dll.
[DenyVerbs]
;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
[DenyHeaders]
;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;
Translate:
If:
Lock-Token:
[AllowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.asp
.htm
.html
.txt
.jpg
.jpeg
.gif
.cfm
.cfml
.mpg
.mpeg
.mov
[DenyExtensions]
;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are allowed to run with the below
; settings. If you wish to prevent ASP from running, add the
; following extensions to this list:
; .asp
; .cer
; .cdx
; .asa
;
; Executables that run on the server
.exe
.bat
.cmd
.com
; Infrequently used scripts
.htw ; Maps to webhits.dll, part of Index Server
.ida ; Maps to idq.dll, part of Index Server
.idq ; Maps to idq.dll, part of Index Server
.htr ; Maps to ism.dll, a legacy administrative tool
.idc ; Maps to httpodbc.dll, a legacy database access tool
.shtm ; Maps to ssinc.dll, for Server Side Includes
.shtml ; Maps to ssinc.dll, for Server Side Includes
.stm ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services
; Various static files
.ini ; Configuration files
.log ; Log files
.pol ; Policy files
.dat ; Configuration files
[DenyUrlSequences]
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request
-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of James M. Truxon
Sent: Sunday, November 04, 2001 1:09 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: URLScan for IIS
>Then I tried to just access the default web page, /, on my server
(default
>web page is http://www.servername.com/ without any trailing filename).
It
>was rejected. I looked in the log file, and this is what I saw:
>
>[Thu, Nov 01 2001 - 08:31:53] Client at 172.24.20.100: URL contains
>extension '(null)', which is not specifically allowed. Request will be
>rejected. Raw URL='/'
>This was not right. How on earth can a file have a null extension? I
took
>a moment to laugh at the expense of some poor programmer, then set
forth
>looking for a work-around. This package really has no documentation
other
>than the comments in the default INI file, and Microsoft's Knowledge
Base
>has almost nothing in it pertaining to this package. So, I was reduced
to
>trial and error. After several attempts, the fix for my
[AllowExtensions]
>section now looks like this:
>[AllowExtensions]
>;
>; Extensions listed here are commonly used on a typical IIS server.
>;
>; Note that these entries are effective if "UseAllowExtensions=1"
>; is set in the [Options] section above.
>;
>.asp
>.htm
>.html
>.txt
>.jpg
>.jpeg
>.gif
>./
>The last line, ./, is what made the null file extension messages go
away,
>and now allows my server to use the [AllowExtensions] properly.
this workaround for allowing default documents didn't actually work for
me, nor did a slew of other incarnations and combinations of [Options]
settings along with the "UseAllowExtensions=1" setting.
have tried:
empty "[DenyUrlSequences]" section
all permutations of :
NormalizeUrlBeforeScan = [1|0]
VerifyNormalization = [1|0]
AllowHighBitCharacters = [1|0]
AllowDotInPath = [1|0]
AllowLateScanning = [1|0]
tried various [AllowExtensions] entries
./
.
.(null)
./.
.\
.\.
.[alt-0-0]
/
application parent paths = [enabled | disabled]
and with each combination, the URL was still discarded by URLScan with
the "URL contains extension '(null)'" message. i'm a little befuddled.
are there multiple release versions of URLScan?
James Truxon
coyote@avatarsyn.com
p: 419.243.7445
f: 419.243.7556
Avatar Syndicate.
- Previous message: David LeBlanc: "Re: Towards a responsible vulnerability process"
- In reply to: James M. Truxon: "Re: URLScan for IIS"
- Next in thread: Simon Jones: "Re: URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
