Re: Misbehaved CGI application headers

From: DaveK (DaveK_at_discussions.microsoft.com)
Date: 10/28/04 

Date: Thu, 28 Oct 2004 05:57:06 -0700

If the error is such that the Perl interpreter cannot compile the code, then
the code will not have a chance to return any headers because Perl won't
execute it.

I just ran a ASP with junk in it and I got Active Server Pages error 'ASP
0221' and gave me the exact line number and description of the error. How is
that not a "security vulnerability -- information disclosure"?

I know Microsoft is on a security binge, but you can't take away
functionality that users depend on and try to pass it off as a security
enhancement.

How can I get this fixed?

"David Wang [Msft]" wrote:

> That would be a security vulnerability -- information disclosure.
>
> CGI applications can be run locally to generate the output, which can be
> independently inspected.
>
> Common causes of this CGI error on IIS6 include:
> 1. Not including a header that looks like "status: 200 OK" or request
> doesn't start with a status line that looks like "HTTP/1.1 200 OK"
> 2. Not including a header that looks like "Content-Type: foo/bar"
> 3. Individual request headers are not terminated by CRLF (according to HTTP
> spec) by rather either CR or LF.
> 4. End of request headers is not terminated by double CRLF
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "DaveK" <DaveK@discussions.microsoft.com> wrote in message
> news:93EB7714-31BB-4853-A734-4DAD31F0ECBC@microsoft.com...
> My application developers cannot fix their Perl code because IIS 6 does not
> tell them where the error occured.
>
> A sample bug in IIS 5 returns: The specified CGI application misbehaved by
> not returning a complete set of HTTP headers. The headers it did return are:
> Can't call method "dfgsdg" on an undefined value at
> e:\Inetpub\Wwwroot\admintools\perltest.pl line 8.
>
> Under IIS 6 I just get: The specified CGI application misbehaved by not
> returning a complete set of HTTP headers.
>
> How do I get IIS 6 to include "The headers it did return are:"?
>
> Thanks, Dave
>
>
>

Relevant Pages

  • Re: [OT] I give up with the reply-to business already
    ... probably including Mail-*-To headers), ... [cut that Omega should have made] ... You guys often treat Perl Knowledge as if you ... all text from the line with only "dash dash space" (called the sigsep or ...
    (perl.beginners)
  • Re: Spamassassin + exim
    ... > You can tell by looking at the headers and seeing if BAYES_xx shows up. ... and I'm yet to see a single BAYES_* test in the ... I'm running unofficial backports of SA 2.55 found on apt-get.org: ... upgrading Perl. ...
    (Debian-User)
  • RE: Help Me with shell script please
    ... > Your perl command seems ot just be a wrapper around the mail command. ... You provide the mail headers ...
    (RedHat)
  • Re: using perl in a c code
    ... want to do is find out the recipients in a email in a milter program ( ... from the headers, ... to the SMTP server, ie sendmail and now I can do a whole lot of ... There is actually a perl module for milter Sendmail::Milter, ...
    (perl.beginners)
  • Re: http headers
    ... the specified cgi application mesbehaved by not returning a complete set of ... http headers, The headers it did return are: ... In IIS 6, i only get: ...
    (microsoft.public.inetserver.iis)