IISShield and ASP.NET canonicalization

From: Tiago Halm (thalm_at_HOTMAIL.COM)
Date: 10/13/04

  • Next message: Brett Moore: "Buffer Overflow In Microsoft Excel"
    Date:         Wed, 13 Oct 2004 20:20:03 +0100
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    All,

    A lot of fuzz has come around the canonicalization issue found with IIS and
    ASP.NET forms authentication. One of the main worries has been if IISShield
    is an effective measure to prevent this kind of exploit.

    So, is it effective? Yes!

    Since ISAPI Filters will be the main topic, here goes. ISAPI Filters have
    several notifications to which they can subscribe and these notifications
    are the various steps through which an Http Request goes through before
    reaching the intended script map ISAPI Extension to which it is destined.
    Each ISAPI Filter installed in IIS has a chance to do something (parse,
    modify) to the contents of that Http Request (each ISAPI gets a chance to
    its own thing in the exact order they are installed in IIS).

    Only after the ISAPI Filters process the pre-execution notifications, is
    when IIS delivers the Http Request to the appropriate script map ISAPI
    Extension. ASP.NET, with its associated extensions - aspx, asax, ashx,
    etc.., is handled by one of those ISAPI Extensions called
    C:\WINNT\Microsoft.NET\Framework\<framework version>\aspnet_isapi.dll
    (IIS5). In IIS6, the ISAPI Extension of ASP.NET has another name I do not
    recall right now. These extensions deal with all the details of the ASP.NET
    execution request. After ASP.NET terminates the processing of the Http
    Request, it then delivers it the ISAPI Filters "kingdom" again. And now, the
    Http Response (now its called response, since it is an answer to a request)
    must then travel through the post-execution notifications where again the
    ISAPI Filters have their opportunity to parse/modify the Http Response.
    So, every Http Request reaching IIS goes through the ISAPi Filter
    notifications where there is an opportunity to parse the request.

    KodeIT IISShield reliably protects IIS from any encoding attempt of a URL be
    it:
    - Hexadecimal escape codes
    - UTF-8 variable-width encoding
    - UCS-2 Unicode encoding
    - Double encoding

    Tiago Halm
    KodeIT Development Team
    http://www.kodeit.org

    ---
    [This E-mail has been scanned for viruses but it is your responsibility
    to maintain up to date anti virus software on the device that you are
    currently using to read this email. ]
    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: Brett Moore: "Buffer Overflow In Microsoft Excel"

    Relevant Pages

    • IISShield and ASP.NET canonicalization
      ... Since ISAPI Filters will be the main topic, ... reaching the intended script map ISAPI Extension to which it is destined. ... Each ISAPI Filter installed in IIS has a chance to do something (parse, ... modify) to the contents of that Http Request (each ISAPI gets a chance to ...
      (Bugtraq)
    • [Full-Disclosure] IISShield and ASP.NET canonicalization
      ... Since ISAPI Filters will be the main topic, ... reaching the intended script map ISAPI Extension to which it is destined. ... Each ISAPI Filter installed in IIS has a chance to do something (parse, ... modify) to the contents of that Http Request (each ISAPI gets a chance to ...
      (Full-Disclosure)
    • Re: What would prevent an ISAPI extension from opening a socket on IIS 6?
      ... of IIS which didn't work, but then re-installed the OS and the problem ... > way as to make opening any network connection impossible. ... >> through ISAPI Filters. ... >> server processes show every indication of working. ...
      (microsoft.public.inetserver.iis.security)
    • Re: MP problems following sms hardware move
      ... I am about to following the fix the knowledge base recommended. ... do to fix the HTTP request, and he default website - SMS_slp AND ... I had tried removing and re-adding the Management Point component to no ... I double-checked all IIS requirements and even re-installed BITS but I ...
      (microsoft.public.sms.admin)
    • Re: Advanced Client Components Unavailable
      ... When I click on the ISAPI Filters ... tab in IIS I get and Unexpected Error 0x800cc801 ocurred. ... account unknown's in the operators list. ... >> Spy and it says my assigned MP is correct. ...
      (microsoft.public.sms.admin)