Re: IIS and URLScan
Re: IIS and URLScan
- Subject: Re: IIS and URLScan
- From: Don Lindsay <email@hidden>
- Date: Thu, 1 May 2008 15:46:54 -0400
Hello;
If your site is using a deep packet inspection tool, you can disable
this without worring about opening any SQL Injection issues.
Installing IIS any any database on the same server is begging for
trouble, a web server should be just that, a web server and nothing
else. Deep packet inspection is configured with RegEx expressions
that represent the URLs of the applications you have deployed.
Don
On May 1, 2008, at 10:53 AM, Rams wrote:
On May 1, 2008, at 1:49 AM, Don Lindsay wrote:
I ran into an issue on a deployed application. IIS has a tool
called URLScan, which refuses URLs that could exploit security
flaws in IIS server. I have a tomcat 5 instance running a Web
Objects 5.4.2 application, connecting to IIS using the JK
connector. When running the application, any page that had a
paginated worepetition and WODisplayGroup, if a user clicked the
next button which called displayNextBatch they would get a 404
error message.
After a few hours I started checking the URLs both running directly
from tomcat and IIS. The URLs were identical, but then I had a a
thought that maybe URLScan was blocking the request.
Turns out this was right on the money. Some URLs generated by
WebObjects have periods in them. URLScan, by default, is
configured to refuse URLs that contain periods.
To fix this problem: Edit %WINDIR%\system32\inetsrv\urlscan
\urlscan.ini Modify the option AllowDotInPath and set it equal to
1. Then goto the [AllowExtensions] and add .woa and .wo to the end
of the listing. Save the file and restart the IIS services.
Isn't that in place to prevent SQL injection attacks though?
Microsoft just finished blaming developers for exposing 500,000 IIS
servers to SQL injection about two days ago...
http://www.itpro.co.uk/news/192510/microsoft-denies-fault-for-massive-sql-attack.html
I think some may have trouble getting this particular solution past
our hosting company or management types who now have this on the
radar. Perhaps this could be accomplished with URL rewriting
instead? I'm using Tomcat standalone currently, but throwing the
idea out there anyway. I may be in your predicament sooner or
later :-)
Good Luck!
--
Learn how to secure your email
(Mac OS X 10.3+) http://www.joar.com/certificates/
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
@mac.com
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden