Re: Misbehaved CGI application headers

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/28/04

• Next message: David Wang [Msft]: "Re: Issue: IIS6(in Isolation Mode) and SSL"
• Previous message: David Wang [Msft]: "Re: HTTP 401.3 - Access denied by ACL on resource .exe"
• In reply to: DaveK: "Misbehaved CGI application headers"
• Next in thread: DaveK: "Re: Misbehaved CGI application headers"
• Reply: DaveK: "Re: Misbehaved CGI application headers"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 27 Oct 2004 21:19:06 -0700

That would be a security vulnerability -- information disclosure.

CGI applications can be run locally to generate the output, which can be
independently inspected.

Common causes of this CGI error on IIS6 include:
1. Not including a header that looks like "status: 200 OK" or request
doesn't start with a status line that looks like "HTTP/1.1 200 OK"
2. Not including a header that looks like "Content-Type: foo/bar"
3. Individual request headers are not terminated by CRLF (according to HTTP
spec) by rather either CR or LF.
4. End of request headers is not terminated by double CRLF

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"DaveK" <DaveK@discussions.microsoft.com> wrote in message
news:93EB7714-31BB-4853-A734-4DAD31F0ECBC@microsoft.com...
My application developers cannot fix their Perl code because IIS 6 does not
tell them where the error occured.
A sample bug in IIS 5 returns: The specified CGI application misbehaved by
not returning a complete set of HTTP headers. The headers it did return are:
Can't call method "dfgsdg" on an undefined value at
e:\Inetpub\Wwwroot\admintools\perltest.pl line 8.
Under IIS 6 I just get:  The specified CGI application misbehaved by not
returning a complete set of HTTP headers.
How do I get IIS 6 to include "The headers it did return are:"?
Thanks, Dave

---

• Next message: David Wang [Msft]: "Re: Issue: IIS6(in Isolation Mode) and SSL"
• Previous message: David Wang [Msft]: "Re: HTTP 401.3 - Access denied by ACL on resource .exe"
• In reply to: DaveK: "Misbehaved CGI application headers"
• Next in thread: DaveK: "Re: Misbehaved CGI application headers"
• Reply: DaveK: "Re: Misbehaved CGI application headers"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: cgi file limit size? ... i increased the timeout on the IIS server to 2,200 seconds and i can ... if i try to upload a 300 MB file, i get the dreaded CGI bad headers ... "CGI Error ... in the IIS log, i do see http error 400 with sc-win32-status of 64 ... (comp.lang.python) Re: Misbehaved CGI application headers ... The CGI developer said it was by design. ... response -- so the error message is gone. ... Individual request headers are not terminated by CRLF (according to ... > My application developers cannot fix their Perl code because IIS 6 does ... (microsoft.public.inetserver.iis) create file (image) based on header ... I'd like to use Alexia thumbnail service. ... different reasons I thought to backup once on a while the thumbs that I ... query the cgi ... to me to open a socket to a server and then get the headers setting the ... (comp.lang.php) Re: CGI error ... a complete set of HTTP headers... ... Have you built this CGI? ... Kristofer Gafvert - IIS MVP ... (microsoft.public.inetserver.iis) Re: mysterious line in my script - what does it all mean? ... maxwells> use CGI; ... maxwells> $query = new CGI; ... not mean the data will not contain additional headers. ... (comp.lang.perl.misc)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet-Server  > microsoft.public.inetserver.iis  > 2004-10