Re: IIS LockDown and URLScan issues
From: Wade A. Hilmo [MS] (wadeh_at_microsoft.com)
Date: 01/12/05
- Next message: Mike Lonergan (MSFT): "RE: IIS 5.0 Maximum upload file size"
- Previous message: travis_at_metratech.com: "Re: IIS 6.0"
- In reply to: Adrian Herscu: "Re: IIS LockDown and URLScan issues"
- Next in thread: John Cesta: "Re: IIS LockDown and URLScan issues"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 11 Jan 2005 20:51:27 -0800
Hi Adrian,
The web server itself doesn't have difficulty determining the file type -
UrlScan does. The AllowDotInPath setting is a pure artifact of the UrlScan
implementation.
The reason for this is that UrlScan runs very early in the processing stage
of a request, before the server has had a chance to fully parse the URL.
The idea is that UrlScan gets a chance to reject the request before a
substantial amount of code runs. Because of this, UrlScan has to "guess"
what the file type is.
Based on the heuristics of the URL (and accounting for the fact that UrlScan
knows about how IIS works internally), UrlScan "knows" if it is highly
confident in its guess or not. The AllowDotInPath setting basically lets
you decide whether UrlScan should reject requests in the case where
confidence is low. A value of 1 allows all requests to proceed, regardless
of whether the guess is high or low confidence. A value of 0 causes UrlScan
to reject requests where the guess is not high confidence.
I how that this helps to clear it up.
Thank you,
-Wade A. Hilmo,
-Microsoft
"Adrian Herscu" <bmf1972@axentra.net> wrote in message
news:uh$6J3z9EHA.2076@TK2MSFTNGP15.phx.gbl...
> Jeff,
>
> According to the mentioned article by Wade, the filtering of
> multi-dot URLs (*not* parent paths) is done because the Web
> server has a difficulty to decide whether a path element refers
> to a "legitimate" file type (one that is mapped to the Web
> server) or that path element refers to a folder and further path
> elements could refer to "non-legitimate" file (this way
> bypassing the file type filtering mechanism).
>
> My question was whether this issue is Microsoft IIS and Windows
> specific or it is something general that applies to all kinds of
> Web servers and operating systems.
>
> Thanks for your reply,
> Adrian.
>
> Jeff Cochran wrote:
>
> > On Sun, 09 Jan 2005 13:14:44 +0200, Adrian Herscu
> > <bmf1972@axentra.net> wrote:
> >
> >
> >>That was very helpful!
> >>Now I am wondering if this problem is IIS specific or it is a
> >>general problem that applies to all kinds of Web servers and
> >>operating systems.
> >
> >
> > Directory transversal affects all web servers, or at least can.
> > URLScan is IIS specific, as is the allow parent paths option in IIS6.
> >
> > Jeff
> >
> >
> >>Thanks for your time,
> >>Adrian.
> >>
> >>Wade A. Hilmo [MS] wrote:
> >>
> >>
> >>>Hi Adrian,
> >>>
> >>>I'm guessing that you are indirectly asking about the AllowDotInPath
setting
> >>>in UrlScan.
> >>>
> >>>I've given a very detailed explanation of this setting, what it does,
and
> >>>why it exists in the below post:
> >>>
>
>>>http://groups-beta.google.com/group/microsoft.public.inetserver.iis.secur
ity/browse_thread/thread/c1652ae38f5190a5/525ce7ca7322dc83?q=wadeh+allowdoti
npath&_done=%2Fgroups%3Fq%3Dwadeh+allowdotinpath%26hl%3Den%26btnG%3DGoogle+S
earch%26&_doneTitle=Back+to+Search&&d#525ce7ca7322dc83
> >>>
> >>>Thank you,
> >>>-Wade A. Hilmo,
> >>>-Microsoft
> >>>
> >>>"Adrian Herscu" <bmf1972@axentra.net> wrote in message
> >>>news:ur9Ii9E9EHA.2600@TK2MSFTNGP09.phx.gbl...
> >>>
> >>>
> >>>>Hi all,
> >>>>
> >>>>Why more than one dot in a URL is considered dangerous?
> >>>>(e.g. "MyWeb.site/somepath/file.xml")
> >>>>
> >>>>Thanks for your time,
> >>>>Adrian.
> >>>
> >>>
> >>>
> >
- Next message: Mike Lonergan (MSFT): "RE: IIS 5.0 Maximum upload file size"
- Previous message: travis_at_metratech.com: "Re: IIS 6.0"
- In reply to: Adrian Herscu: "Re: IIS LockDown and URLScan issues"
- Next in thread: John Cesta: "Re: IIS LockDown and URLScan issues"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
