Re: URLScan for IIS
From: Simon Jones (simonjone@BTINTERNET.COM)Date: 11/05/01
- Previous message: Thomas Reinke: "Re: Towards a responsible vulnerability process"
- In reply to: Lester, Don: "URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <KFEDJNANPBGMCJHLPHHGIEFKCAAA.simonjone@btinternet.com> Date: Sun, 4 Nov 2001 23:49:05 -0000 From: Simon Jones <simonjone@BTINTERNET.COM> Subject: Re: URLScan for IIS To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Finally got around to having a play with URLScan.
Is it just me...or does the online documentation contradict this comment in
the ini file:
file://URLScan.ini
AllowDotInPath=1 ; if 1, allow dots that are not file
extensions
vs.
http://support.microsoft.com/support/kb/articles/q307/6/08.asp?id=307608&sd=
tech
"AllowDotInPath: Allowed values are 0 or 1. If the value is 1, URLScan
rejects any requests containing multiple instances of the period character
(.). If the value is 0, URLScan does not perform this test."
Secondly I can't get (null) extensions to be accepted. I've tried adding the
following to [AllowExtensions], but all to no avail:
./
.
.null
.(null)
.\
Is there another work-around aside from denying extensions rather than
allowing?
- Previous message: Thomas Reinke: "Re: Towards a responsible vulnerability process"
- In reply to: Lester, Don: "URLScan for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
