URLScan Documentation Contradiction (I think)

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 04/12/02


Date: Fri, 12 Apr 2002 11:43:42 -0400
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: <focus-ms@securityfocus.com>

So I'm fiddlin' with URLScan, and I get to reading the docs. Here's
what I find for AllowDotInPath:

"If set to 1, UrlScan rejects any requests containing multiple instances
of the dot (.) character. If set to 0, UrlScan does not perform this
test."

The default is 0. Thus, I should be able to have (for example) a dot in
a directory name, and URLScan will let this pass, because it isn't
checking this directive. But then, I read this:

"Setting AllowDotInPath to 0 defends against the case where an attacker
uses path info to hide the true extension of the request (for example,
something like "/path/TrueURL.asp/BogusPart.htm"). Setting
AllowDotInPath to 0 also causes UrlScan to deny any request that
contains a dot in a directory name."

But the section above states that setting to 0 means that URLScan
doesn't perform the test!

On a somewhat unrelated and argumentative note, I would also think that
AllowDotInPath=1 would indicate that it should allow a dot within the
path (e.g., a dot in a directory name). Makes sense, right? Apparently
not...

Does anyone know how this directive actually functions?

Thanks,

-- 
Keith W. McCammon



Relevant Pages

  • Re: AllowDotInPath
    ... AllowDotInPath exists, ... >to know what that file extension is just from looking at ... >then it would be a .cfm request. ... Since UrlScan runs very early in the request ...
    (microsoft.public.inetserver.iis.security)
  • Re: AllowDotInPath
    ... UrlScan has the capability of allowing or rejecting a URL, ... to know what that file extension is just from looking at the URL alone. ... it would be a request for a .htm file. ... simple count of the dots in the URL, hence the name AllowDotInPath. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Some messages cant be opened in OWA
    ... the URLScan utility blocks access to messages that contain the ... single dot cannot be opened. ... "The requested resource could not be found". ...
    (microsoft.public.exchange2000.general)
  • Re: FrontPage Counter
    ... Use URLScan with FrontPage 2002 ... I understand the dot in path thing but it seems that it was ... >> Bernard Cheah ... >> Please respond to newsgroups only ... ...
    (microsoft.public.inetserver.iis.security)
  • Re: URLScan Rejects header "transfer-encoding:"
    ... URLScan may block this type of request. ... "I really did not want to reconfigure the URLScan just to accomodate a JDK ... cause vulnerabilities on your server. ... configuration as you see fit and we provide the information to do this. ...
    (microsoft.public.inetserver.iis.security)