Re: URLScan and Server Variables - ASP.NET
From: Bernard Cheah [MVP] (qbernard_at_hotmail.com.discuss)
Date: 10/31/05
- Next message: Tymbow: "Re: IIS 6.0, Host Headers and SSL"
- Previous message: Bernard Cheah [MVP]: "Re: IIS6.0 Log file location"
- In reply to: KarthikR79_at_gmail.com: "URLScan and Server Variables - ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 31 Oct 2005 12:11:29 +0800
Well, looks normal to me. it get blocked because
URL='/VirDir/SubDir/<%=mapPath%>/img/icons/logo.gif'
but <%=mapPath%> should be the 'variables' without the %
-- Regards, Bernard Cheah http://www.iis-resources.com/ http://www.iiswebcastseries.com/ http://www.msmvps.com/bernard/ <KarthikR79@gmail.com> wrote in message news:1130720205.961294.173470@g14g2000cwa.googlegroups.com... > Hello > > I am using ASP.NET v1.1, IIS 5.0, URL Scan (URL Scann DLL Version > 6.0.3615.0). > > I use server side variable in .aspx pages as follows: > > Say in '/VirDir/SubDir/Login.aspx' page - I have the following image: > > <img src="<%=mapPath%>/img/icons/logo.gif"> - Where mapPath is the > server variable to hold my virtual Directory Name - VirDir. > > I find the following entry in URL Scan Log: > [09-01-2005 - 14:00:37] Client at 127.0.0.1: URL contains sequence '%', > which is disallowed. Request will be rejected. Site Instance='1', Raw > URL='/VirDir/SubDir/<%=mapPath%>/img/icons/logo.gif' > > I could not reproduce this issue again - But it happened several times > in the past. The '/VirDir/SubDir/Login.aspx' page looks fine with the > image whenever i hit it. > > Any clues here will be of great help! > > Here is my URL Scan.ini: > > ---------------------------------------------------------- > [options] > UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else > use [DenyVerbs] section > UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, > else use [DenyExtensions] section > NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before > processing > VerifyNormalization=1 ; if 1, canonicalize URL twice and > reject request if a change occurs > AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or > MBCS) characters in URL > AllowDotInPath=0 ; if 1, allow dots that are not file > extensions > RemoveServerHeader=0 ; if 1, remove "Server" header from > response > EnableLogging=1 ; if 1, log UrlScan activity > PerProcessLogging=0 ; if 1, the UrlScan.log filename will > contain a PID (ie. UrlScan.123.log) > AllowLateScanning=1 ; if 1, then UrlScan will load as a low > priority filter. > PerDayLogging=1 ; if 1, UrlScan will produce a new log > each day with activity in the form UrlScan.010101.log > RejectResponseUrl= ; UrlScan will send rejected requests to > the URL specified here. Default is /<Rejected-by-UrlScan> > UseFastPathReject=0 ; If 1, then UrlScan will not use the > RejectResponseUrl or allow IIS to log the request > > ; If RemoveServerHeader is 0, then AlternateServerName can be > ; used to specify a replacement for IIS's built in 'Server' header > AlternateServerName= > > LogLongUrls=1 ; If 1, then up to 128K per request can > be logged. > ; If 0, then only 1k is allowed. > > ; > ; LoggingDirectory can be used to specify the directory where the > ; log file will be created. This value should be the absolute path > ; (ie. c:\some\path). If not specified, then UrlScan will create > ; the log in the same directory where the UrlScan.dll file is located. > ; > > LoggingDirectory=C:\LogFiles > > [AllowVerbs] > > ; > ; The verbs (aka HTTP methods) listed here are those commonly > ; processed by a typical IIS server. > ; > ; Note that these entries are effective if "UseAllowVerbs=1" > ; is set in the [Options] section above. > ; > > GET > HEAD > POST > OPTIONS > DEBUG > > [DenyVerbs] > > ; > ; The verbs (aka HTTP methods) listed here are used for publishing > ; content to an IIS server via WebDAV. > ; > ; Note that these entries are effective if "UseAllowVerbs=0" > ; is set in the [Options] section above. > ; > > PROPFIND > PROPPATCH > MKCOL > DELETE > PUT > COPY > MOVE > LOCK > UNLOCK > SEARCH > > [DenyHeaders] > > ; > ; Request headers listed in this section will cause UrlScan to > ; reject any request in which they are present. > ; > ; Headers should be listed in the form > ; Header-Name: > ; > > If: > Lock-Token: > > ;Transfer-Encoding: > Transfer-Encoding: > [AllowExtensions] > > ; > ; Extensions listed here are commonly used on a typical IIS server. > ; > ; Note that these entries are effective if "UseAllowExtensions=1" > ; is set in the [Options] section above. > ; > > .asp > .cer > .cdx > .asa > .htm > .html > .txt > .jpg > .jpeg > .gif > > ;.idq > ;.htw > ;.ida > ;.idc > ;.shtm > ;.shtml > ;.stm > ;.htr > ;.printer > ;.idq > ;.htw > ;.ida > ;.idc > ;.shtm > ;.shtml > ;.stm > ;.htr > ;.printer > [DenyExtensions] > > ; > ; Extensions listed here either run code directly on the server, > ; are processed as scripts, or are static files that are > ; generally not intended to be served out. > ; > ; Note that these entries are effective if "UseAllowExtensions=0" > ; is set in the [Options] section above. > ; > > ; Deny executables that could run on the server > .exe > .bat > .cmd > .com > > ; Deny infrequently used scripts > .htw ; Maps to webhits.dll, part of Index Server > .ida ; Maps to idq.dll, part of Index Server > .idq ; Maps to idq.dll, part of Index Server > .htr ; Maps to ism.dll, a legacy administrative tool > .idc ; Maps to httpodbc.dll, a legacy database access tool > .shtm ; Maps to ssinc.dll, for Server Side Includes > .shtml ; Maps to ssinc.dll, for Server Side Includes > .stm ; Maps to ssinc.dll, for Server Side Includes > .printer ; Maps to msw3prt.dll, for Internet Printing Services > > ; Deny various static files > .ini ; Configuration files > .log ; Log files > .pol ; Policy files > .dat ; Configuration files > > ;.asp > ;.cer > ;.cdx > ;.asa > ;.asp > ;.cer > ;.cdx > ;.asa > [DenyUrlSequences] > .. ; deny directory traversals > ./ ; deny trailing dot on a directory name > \ ; deny backslashes in URL > : ; deny alternate stream access > % ; deny escaping after normalization > & ; deny multiple CGI processes to run on a single request > /fpdb/ ; deny browse access to FrontPage database files > /_private ; deny FrontPage private files (often form results) > /_vti_pvt ; deny FrontPage Web configuration files > /_vti_cnf ; deny FrontPage metadata files > /_vti_txt ; deny FrontPage text catalogs and indices > /_vti_log ; deny FrontPage authoring log files > > [RequestLimits] > > ; > ; The entries in this section impose limits on the length > ; of allowed parts of requests reaching the server. > ; > ; It is possible to impose a limit on the length of the > ; value of a specific request header by prepending "Max-" to the > ; name of the header. For example, the following entry would > ; impose a limit of 100 bytes to the value of the > ; 'Content-Type' header: > ; > ; Max-Content-Type=100 > ; > ; To list a header and not specify a maximum value, use 0 > ; (ie. 'Max-User-Agent=0'). Also, any headers not listed > ; in this section will not be checked for length limits. > ; > ; There are 3 special case limits: > ; > ; - MaxAllowedContentLength specifies the maximum allowed > ; numeric value of the Content-Length request header. For > ; example, setting this to 1000 would cause any request > ; with a content length that exceeds 1000 to be rejected. > ; The default is 30000000. > ; > ; - MaxUrl specifies the maximum length of the request URL, > ; not including the query string. The default is 260 (which > ; is equivalent to MAX_PATH). > ; > ; - MaxQueryString specifies the maximum length of the query > ; string. The default is 4096. > ; > > MaxAllowedContentLength=30000000 > MaxUrl=16384 > MaxQueryString=4096 > ---------------------------------------------------------- >
- Next message: Tymbow: "Re: IIS 6.0, Host Headers and SSL"
- Previous message: Bernard Cheah [MVP]: "Re: IIS6.0 Log file location"
- In reply to: KarthikR79_at_gmail.com: "URLScan and Server Variables - ASP.NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
