Re: URLScan Rejects header "transfer-encoding:"

From: David Wang [Msft] (someone@online.microsoft.com)
Date: 03/15/03 

From: "David Wang [Msft]" <someone@online.microsoft.com>
Date: Sat, 15 Mar 2003 00:55:58 -0800

"Transfer-Encoding: chunked" is a concept introduced in HTTP/1.1. HTTP/1.0
does not understand it and hence will not use it.

"Transfer-Encoding: chunked" is a different way to transmit entity body.
Prior to it, HTTP requests must contain a Content-Length header specifying
the number of bytes sent as entity body, and those bytes must be sent in a
kosher HTTP request. "Transfer-Encoding: chunked" allowed a client to tell
the server "I'll keep sending bytes representing the entity body until I say
I'm done with a 0 byte chunk". Obviously, this has benefits to HTTP-based
applications which may not know the size of the entire request/response
until it is sent.

Unfortunately, with this freedom in HTTP comes a price. Is is fairly well
known that server-side applications can misbehave on entity body sent with
Transfer-Encoding: chunked. There's a whole bunch of buffer
manipulation/allocation, pointer-arithmetic, and is a generally ripe area
for programming mistakes. This is one reason that some configurations of
URLScan may block this type of request.

So, really, your statement of:
"I really did not want to reconfigure the URLScan just to accomodate a JDK
emulator when everyone else had no problems!"
should be weighed against
"URLScan is intentionally blocking certain classes of requests that can
cause vulnerabilities on your server. By disabling the block, you are
potentially reducing the security on your server, but you do this on your
own free will and you take responsibility."

IIS Lockdown comes with a set of templates and sample values for
configuration, all of which are free to be configured. It is expected that
customers do some tweaking since no two customers are alike, though we
expect that most customers probably won't tweak it for various reasons.
Thus, we try to make the default be as safe and secure as possible for those
customers. If it happens to break you, then you can loosen the
configuration as you see fit and we provide the information to do this.
This is expected. It is the cost of Security.

Ultimately, you make the choice. Microsoft is obligated to allow you to
make that choice. Just be aware that security is not something you
"install/enable" and forget, and it is definitely not "one size fits
all/many". The defaults are designed to favor security over functionality
since we want to enable you to find the functionality you need and not
enable the hackers to exploit the functionality you don't need. 

--
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Charlie" <charliebwhite@yahoo.com> wrote in message
news:010b01c2ea5a$ef891590$a301280a@phx.gbl...
Also can someone explain to me why it's beneficial URLScan
doesn't allow "transfer-encoding" though? I configured
URLScan to be an ASP server.
If it's a good idea to allow this through, I will change
it anyways. If it's better security to not allow it, I
will leave it alone. Let me know! I appreciate everyone's
input on this! Thank you!
>-----Original Message-----
>Client got it to work without me having to change
anything!
>All he did was configured the windows JDK emulator to use
>HTTP/1.0 protocol instead of HTTP/1.1  So looks like the
>transfer-encoding is part of HTTP/1.1 protocol??
>
>I'm confused why this would work.. what's the difference
>between these? Doesn't everything these days use
HTTP/1.1?
>What does latest Internet explorer use?
>
>I really did not want to reconfigure the URLScan just to
>accomodate a JDK emulator when everybody else had no
>problems!
>
>Can anybody explain why this would be the solution? Or
are
>you as confused as I?
>
>>-----Original Message-----
>>what do you have in your [DenyHeaders] in the urlscan.ini
>>if you remote 'Translate:', works ?
>>urlscan is rejecting your content-type hearder.
>>
>>try play around with the settings in urlscan.ini.
>>note: you must restart IIS to apply the changes.
>>
>>Rgds.
>>
>>
>>
>>
>>"Charlie" <charliebwhite@yahoo.com> wrote in message
>>news:081801c2e9e6$6493e880$3401280a@phx.gbl...
>>> Sorry! I meant to include this!
>>>
>>> ***IIS log reports:***
>>> 2003-03-04 18:04:28 63.165.169.127 - W3SVC1 WIWEB
>>> 10.9.9.100 80 GET /<Rejected-By-UrlScan> ~script.asp
404
>>> 123 4203 136 15 HTTP/1.1 63.162.0.3:80 -
>>>
>>> ***URLScan reports:***
>>> [03-04-2003 - 10:04:28] Client at 63.165.169.127: URL
>>> contains disallowed header 'transfer-encoding:' Request
>>> will be rejected. Site Instance='1', Raw
>URL='script.asp'
>>>
>>> And if you can quickly tell me how to configure
URLScan
>to
>>> allow "transfer-encoding" on top of this problem, it
>would
>>> be greatly appreciated!
>>> Thank You!
>>>
>>> >-----Original Message-----
>>> >Can you post the line in urlscanxxx.log and iislog
>>> >that urlscan rejected ?
>>> >
>>> >from there we should able to know why and how to
solve
>it
>>> >hopefully.
>>> >
>>> >Rgds.
>>> >
>>> >
>>> >"Charlie" <charliebwhite@yahoo.com> wrote in message
>>> >news:05d901c2e993$831019d0$2f01280a@phx.gbl...
>>> >> I'm working with a client that is posting
>information to
>>> >> our Acitive Server Page from a JDK emulator.
However
>URL
>>> >> scan is rejecting it and reporting this:
>>> >>
>>> >> URL contains disallowed header 'transfer-encoding:'
>>> >> Request will be rejected.  Site Instance='1'
>>> >>
>>> >> Client tells me he has it programmed to send for
>>> example:
>>> >> -----------
>>> >> POST script.asp HTTP/1.1\n
>>> >> Content-Type: application/x-www-form-urlencoded\n
>>> >> Content-Length: nnnn\n
>>> >> \n
>>> >> name1=value1&name2=value2&phone=123%4567890$201212\n
>>> >>
>>> >> Post headers are: {Content-Type=application/x-www-
>form-
>>> >> urlencoded, Content-Length=66}
>>> >> ------------
>>> >>
>>> >> Must I turn off URLScanning in the UrlScan.ini file
>for
>>> >> this to work? I'd rather not. How is URLScan
>>> >> detecting "transfer-encoding:" ?? I'd rather
prevent
>it
>>> >> from sending this if possible? Any suggestions on
>>> >> ensuring "transfer-encoding" is not sent.
>>> >>
>>> >> If nobody can help me with this problem, can someone
>>> tell
>>> >> me how to configure URLScan specifically to
>>> >> allow "transfer-encoding:" in a header?
>>> >>
>>> >
>>> >
>>> >.
>>> >
>>
>>
>>.
>>
>.
>

Relevant Pages

  • Request exceeded the limit of 10 internal redirects
    ... I just installed mod_fastcgid for Apache 2.2 on Fedora Core 6 Linux ... I get an internal server error, and this appears in the error_log: ... # This is the main Apache HTTP server configuration file. ... # will make a new request for the document at its new location. ...
    (comp.infosystems.www.servers.unix)
  • Re: About http method trace track options in IIS4
    ... I doubt URLScan will have any noticable affect on the performance of your ... "translate:" header because it sometimes causes lots of urlscan logging you ... request. ... of allowed parts of requests reaching the server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: About http method trace track options in IIS4
    ... > Ok thansk but i would try first without urlscan. ... >> request. ... of allowed parts of requests reaching the server. ... Deny executables that could run on the server ...
    (microsoft.public.inetserver.iis.security)
  • [TOOL] URLScan, Automatic Request Sanitization Tool from Microsoft
    ... URLScan, Automatic Request Sanitization Tool from Microsoft ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... URLScan protects the server while it's in operation. ...
    (Securiteam)
  • Re: About http method trace track options in IIS4
    ... Ok thansk but i would try first without urlscan. ... How i disabel this metod with Metabase Editor? ... > request. ... of allowed parts of requests reaching the server. ...
    (microsoft.public.inetserver.iis.security)