• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: IIS and URLScan
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IIS and URLScan

  • Subject: Re: IIS and URLScan
  • From: Rams <email@hidden>
  • Date: Thu, 1 May 2008 10:53:24 -0400

On May 1, 2008, at 1:49 AM, Don Lindsay wrote:

I ran into an issue on a deployed application. IIS has a tool called URLScan, which refuses URLs that could exploit security flaws in IIS server. I have a tomcat 5 instance running a Web Objects 5.4.2 application, connecting to IIS using the JK connector. When running the application, any page that had a paginated worepetition and WODisplayGroup, if a user clicked the next button which called displayNextBatch they would get a 404 error message.

After a few hours I started checking the URLs both running directly from tomcat and IIS. The URLs were identical, but then I had a a thought that maybe URLScan was blocking the request.

Turns out this was right on the money. Some URLs generated by WebObjects have periods in them. URLScan, by default, is configured to refuse URLs that contain periods.

To fix this problem: Edit %WINDIR%\system32\inetsrv\urlscan \urlscan.ini Modify the option AllowDotInPath and set it equal to 1. Then goto the [AllowExtensions] and add .woa and .wo to the end of the listing. Save the file and restart the IIS services.

Isn't that in place to prevent SQL injection attacks though? Microsoft just finished blaming developers for exposing 500,000 IIS servers to SQL injection about two days ago...

http://www.itpro.co.uk/news/192510/microsoft-denies-fault-for-massive-sql-attack.html

I think some may have trouble getting this particular solution past our hosting company or management types who now have this on the radar. Perhaps this could be accomplished with URL rewriting instead? I'm using Tomcat standalone currently, but throwing the idea out there anyway. I may be in your predicament sooner or later :-)

Good Luck!

--
Learn how to secure your email
(Mac OS X 10.3+) http://www.joar.com/certificates/
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx


Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: IIS and URLScan
      • From: Don Lindsay <email@hidden>
  • Prev by Date: Re: WO 5.4.2
  • Next by Date: Re: WO 5.4.2
  • Previous by thread: Re: WO 5.4.2
  • Next by thread: Re: IIS and URLScan
  • Index(es):
    • Date
    • Thread