Re: URLScan breaks the application

From: Keith W. McCammon (km_at_km.com)
Date: 04/14/04 

Date: Wed, 14 Apr 2004 10:38:11 -0400

Why on earth would you truncate a file name and create ambiguity by
performing an uncontrolled character replacement? That seems to me to be a
terrible idea, from an application security and generally sound coding
perspective. Which leads me to my next point...

Of course your customers are hesitant to allow dot sequences in the path!
There's a very good reason that URLScan, server proxies, firewalls, etc. are
set up to block these types of sequences. They're nothing but an invitation
for trouble. And, aside from your application, there's no legitimate for
them in any practical environment.

And to answer your questions:

Yes, IIS 6.0 incorporates a lot of the base functionality of URLScan into
the IIS core.

And the risk to them is substantial. This is not to say that they'll be
actively exploited the minute they turn it off. However, if they turn it
off and another exploit for the platform goes wild, they'll likely be sorry.

Bottom line: Your application needs to be fixed.

"Jay" <anonymous@discussions.microsoft.com> wrote in message
news:1c70101c42229$b62e55f0$a401280a@phx.gbl...
> I support a web based application which uses dots in the
> filenames of very long filenames. These filenames are
> randomly generated by users so its not predetermined when
> they will occur. If the name defined by the user is over
> 20 characters long, then our software will truncate the
> filename and insert dots in the path. This causes
> urlscan to block the url when it is later requested by
> the app. I find some customers are hesitant to configure
> teh urlscan.ini file to accept these dits in the
> filename. Has urlscan functionality been rolled into a
> Microsoft SP? How large is the risk to the customers
> server running this application i fthey do allow dots in
> the filename?
>
> Thanks,
> Jay

Relevant Pages

  • Re: URLScan breaks the application
    ... URLScan is blocking these attacks, ... customers are hesitant to reconfigure URLScan to allow my application to ... Mitigate the threat by moving away from your application ... filenames of very long filenames. ...
    (microsoft.public.inetserver.iis.security)
  • Re: MySQL problem
    ... Using GNUTAR on the phpmyadmin tarball produces a top level folder of the ... >>There seems to be an issue with filenames. ... >>multiple dots in filenames. ...
    (comp.os.vms)
  • Re: MySQL problem
    ... >> Nigel Barker ... >> Live from the sunny Cote d'Azur ... >There seems to be an issue with filenames. ... >multiple dots in filenames. ...
    (comp.os.vms)
  • Re: MySQL problem
    ... Nigel Barker wrote: ... It's just pure PHP. ... There seems to be an issue with filenames. ... multiple dots in filenames. ...
    (comp.os.vms)
  • URLScan breaks the application
    ... I support a web based application which uses dots in the ... filenames of very long filenames. ... I find some customers are hesitant to configure ... Has urlscan functionality been rolled into a ...
    (microsoft.public.inetserver.iis.security)
Quantcast