Re: URLScan Rejects header "transfer-encoding:"

From: Wade A. Hilmo [MS] (wadeh@microsoft.com)
Date: 03/15/03

  • Next message: TA: "Service Packs"
    From: "Wade A. Hilmo [MS]" <wadeh@microsoft.com>
    Date: Sat, 15 Mar 2003 07:53:47 -0800
    
    

    *Sigh*

    I just posted a reply to the thread entitled "Transfer-Encoding denied by
    UrlScan" before seeing this one.

    If anyone is interested in the technical details of why we put this entry in
    the UrlScan.ini file, you can find it there.

    As for this thread, I agree that configuring the JDK emulator to use
    HTTP/1.0 is the right thing to do.

    Thank you,
    -Wade Hilmo,
    -Microsoft

    "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
    news:eU6ezCt6CHA.2308@TK2MSFTNGP10.phx.gbl...
    > "Transfer-Encoding: chunked" is a concept introduced in HTTP/1.1.
    HTTP/1.0
    > does not understand it and hence will not use it.
    >
    > "Transfer-Encoding: chunked" is a different way to transmit entity body.
    > Prior to it, HTTP requests must contain a Content-Length header specifying
    > the number of bytes sent as entity body, and those bytes must be sent in a
    > kosher HTTP request. "Transfer-Encoding: chunked" allowed a client to
    tell
    > the server "I'll keep sending bytes representing the entity body until I
    say
    > I'm done with a 0 byte chunk". Obviously, this has benefits to HTTP-based
    > applications which may not know the size of the entire request/response
    > until it is sent.
    >
    > Unfortunately, with this freedom in HTTP comes a price. Is is fairly well
    > known that server-side applications can misbehave on entity body sent with
    > Transfer-Encoding: chunked. There's a whole bunch of buffer
    > manipulation/allocation, pointer-arithmetic, and is a generally ripe area
    > for programming mistakes. This is one reason that some configurations of
    > URLScan may block this type of request.
    >
    > So, really, your statement of:
    > "I really did not want to reconfigure the URLScan just to accomodate a JDK
    > emulator when everyone else had no problems!"
    > should be weighed against
    > "URLScan is intentionally blocking certain classes of requests that can
    > cause vulnerabilities on your server. By disabling the block, you are
    > potentially reducing the security on your server, but you do this on your

    > own free will and you take responsibility."
    >
    > IIS Lockdown comes with a set of templates and sample values for
    > configuration, all of which are free to be configured. It is expected
    that
    > customers do some tweaking since no two customers are alike, though we
    > expect that most customers probably won't tweak it for various reasons.
    > Thus, we try to make the default be as safe and secure as possible for
    those
    > customers. If it happens to break you, then you can loosen the
    > configuration as you see fit and we provide the information to do this.
    > This is expected. It is the cost of Security.
    >
    > Ultimately, you make the choice. Microsoft is obligated to allow you to
    > make that choice. Just be aware that security is not something you
    > "install/enable" and forget, and it is definitely not "one size fits
    > all/many". The defaults are designed to favor security over functionality
    > since we want to enable you to find the functionality you need and not
    > enable the hackers to exploit the functionality you don't need.
    >
    > --
    > //David
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    > //
    > "Charlie" <charliebwhite@yahoo.com> wrote in message
    > news:010b01c2ea5a$ef891590$a301280a@phx.gbl...
    > Also can someone explain to me why it's beneficial URLScan
    > doesn't allow "transfer-encoding" though? I configured
    > URLScan to be an ASP server.
    >
    > If it's a good idea to allow this through, I will change
    > it anyways. If it's better security to not allow it, I
    > will leave it alone. Let me know! I appreciate everyone's
    > input on this! Thank you!
    >
    > >-----Original Message-----
    > >Client got it to work without me having to change
    > anything!
    > >All he did was configured the windows JDK emulator to use
    > >HTTP/1.0 protocol instead of HTTP/1.1 So looks like the
    > >transfer-encoding is part of HTTP/1.1 protocol??
    > >
    > >I'm confused why this would work.. what's the difference
    > >between these? Doesn't everything these days use
    > HTTP/1.1?
    > >What does latest Internet explorer use?
    > >
    > >I really did not want to reconfigure the URLScan just to
    > >accomodate a JDK emulator when everybody else had no
    > >problems!
    > >
    > >Can anybody explain why this would be the solution? Or
    > are
    > >you as confused as I?
    > >
    > >>-----Original Message-----
    > >>what do you have in your [DenyHeaders] in the urlscan.ini
    > >>if you remote 'Translate:', works ?
    > >>urlscan is rejecting your content-type hearder.
    > >>
    > >>try play around with the settings in urlscan.ini.
    > >>note: you must restart IIS to apply the changes.
    > >>
    > >>Rgds.
    > >>
    > >>
    > >>
    > >>
    > >>"Charlie" <charliebwhite@yahoo.com> wrote in message
    > >>news:081801c2e9e6$6493e880$3401280a@phx.gbl...
    > >>> Sorry! I meant to include this!
    > >>>
    > >>> ***IIS log reports:***
    > >>> 2003-03-04 18:04:28 63.165.169.127 - W3SVC1 WIWEB
    > >>> 10.9.9.100 80 GET /<Rejected-By-UrlScan> ~script.asp
    > 404
    > >>> 123 4203 136 15 HTTP/1.1 63.162.0.3:80 -
    > >>>
    > >>> ***URLScan reports:***
    > >>> [03-04-2003 - 10:04:28] Client at 63.165.169.127: URL
    > >>> contains disallowed header 'transfer-encoding:' Request
    > >>> will be rejected. Site Instance='1', Raw
    > >URL='script.asp'
    > >>>
    > >>> And if you can quickly tell me how to configure
    > URLScan
    > >to
    > >>> allow "transfer-encoding" on top of this problem, it
    > >would
    > >>> be greatly appreciated!
    > >>> Thank You!
    > >>>
    > >>> >-----Original Message-----
    > >>> >Can you post the line in urlscanxxx.log and iislog
    > >>> >that urlscan rejected ?
    > >>> >
    > >>> >from there we should able to know why and how to
    > solve
    > >it
    > >>> >hopefully.
    > >>> >
    > >>> >Rgds.
    > >>> >
    > >>> >
    > >>> >"Charlie" <charliebwhite@yahoo.com> wrote in message
    > >>> >news:05d901c2e993$831019d0$2f01280a@phx.gbl...
    > >>> >> I'm working with a client that is posting
    > >information to
    > >>> >> our Acitive Server Page from a JDK emulator.
    > However
    > >URL
    > >>> >> scan is rejecting it and reporting this:
    > >>> >>
    > >>> >> URL contains disallowed header 'transfer-encoding:'
    > >>> >> Request will be rejected. Site Instance='1'
    > >>> >>
    > >>> >> Client tells me he has it programmed to send for
    > >>> example:
    > >>> >> -----------
    > >>> >> POST script.asp HTTP/1.1\n
    > >>> >> Content-Type: application/x-www-form-urlencoded\n
    > >>> >> Content-Length: nnnn\n
    > >>> >> \n
    > >>> >> name1=value1&name2=value2&phone=123%4567890$201212\n
    > >>> >>
    > >>> >> Post headers are: {Content-Type=application/x-www-
    > >form-
    > >>> >> urlencoded, Content-Length=66}
    > >>> >> ------------
    > >>> >>
    > >>> >> Must I turn off URLScanning in the UrlScan.ini file
    > >for
    > >>> >> this to work? I'd rather not. How is URLScan
    > >>> >> detecting "transfer-encoding:" ?? I'd rather
    > prevent
    > >it
    > >>> >> from sending this if possible? Any suggestions on
    > >>> >> ensuring "transfer-encoding" is not sent.
    > >>> >>
    > >>> >> If nobody can help me with this problem, can someone
    > >>> tell
    > >>> >> me how to configure URLScan specifically to
    > >>> >> allow "transfer-encoding:" in a header?
    > >>> >>
    > >>> >
    > >>> >
    > >>> >.
    > >>> >
    > >>
    > >>
    > >>.
    > >>
    > >.
    > >
    >
    >


  • Next message: TA: "Service Packs"

    Relevant Pages

    • Re: URLScan Rejects header "transfer-encoding:"
      ... URLScan may block this type of request. ... "I really did not want to reconfigure the URLScan just to accomodate a JDK ... cause vulnerabilities on your server. ... configuration as you see fit and we provide the information to do this. ...
      (microsoft.public.inetserver.iis.security)
    • Re: webexception 404
      ... I figured out that the 'translate' header must be allowed through UrlScan, ... If it is then you will need to make some configuration changes ... > requests though, but when I figure it out I'll post it here. ...
      (microsoft.public.dotnet.framework.aspnet.webservices)
    • Re: URLScan, multiple .ini files
      ... the urlscan directory to a differnt one, ... >> Global ISAPI: ... URLSCAN.DLL takes configuration from URLSCAN.INI located ... and point all websites to either one or the other. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Changing URLSCAN Directory
      ... This KB talks about the new version and configuration of URLSCAN. ... Can anyone verify for me that this can be accomplished with ...
      (microsoft.public.inetserver.iis.security)
    • Re: CISCO IP PHONES AND TFTP
      ... outbound proxy and some don't. ... >> simple to create various user config-directories in a single server. ... >> different customers on a same server? ... > My configuration for each phone is the same, since I have a very basic ...
      (comp.dcom.sys.cisco)