• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: IIS and URLScan
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IIS and URLScan

  • Subject: Re: IIS and URLScan
  • From: Don Lindsay <email@hidden>
  • Date: Thu, 1 May 2008 15:46:54 -0400
Hello;

If your site is using a deep packet inspection tool, you can disable this without worring about opening any SQL Injection issues. Installing IIS any any database on the same server is begging for trouble, a web server should be just that, a web server and nothing else. Deep packet inspection is configured with RegEx expressions that represent the URLs of the applications you have deployed.

Don

On May 1, 2008, at 10:53 AM, Rams wrote:


On May 1, 2008, at 1:49 AM, Don Lindsay wrote:

I ran into an issue on a deployed application. IIS has a tool called URLScan, which refuses URLs that could exploit security flaws in IIS server. I have a tomcat 5 instance running a Web Objects 5.4.2 application, connecting to IIS using the JK connector. When running the application, any page that had a paginated worepetition and WODisplayGroup, if a user clicked the next button which called displayNextBatch they would get a 404 error message.

After a few hours I started checking the URLs both running directly from tomcat and IIS. The URLs were identical, but then I had a a thought that maybe URLScan was blocking the request.

Turns out this was right on the money. Some URLs generated by WebObjects have periods in them. URLScan, by default, is configured to refuse URLs that contain periods.

To fix this problem: Edit %WINDIR%\system32\inetsrv\urlscan \urlscan.ini Modify the option AllowDotInPath and set it equal to 1. Then goto the [AllowExtensions] and add .woa and .wo to the end of the listing. Save the file and restart the IIS services.

Isn't that in place to prevent SQL injection attacks though? Microsoft just finished blaming developers for exposing 500,000 IIS servers to SQL injection about two days ago...

http://www.itpro.co.uk/news/192510/microsoft-denies-fault-for-massive-sql-attack.html

I think some may have trouble getting this particular solution past our hosting company or management types who now have this on the radar. Perhaps this could be accomplished with URL rewriting instead? I'm using Tomcat standalone currently, but throwing the idea out there anyway. I may be in your predicament sooner or later :-)

Good Luck!

--
Learn how to secure your email
(Mac OS X 10.3+) http://www.joar.com/certificates/
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
@mac.com

This email sent to email@hidden 

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden






References: 


 >Re: IIS and URLScan (From: Rams <email@hidden>)






    

  • Prev by Date:
Unable to locate "JavaWebObjects"  bundle

    • 

  • Next by Date:
Re: WO 5.4.2

    • 

  • Previous by thread:
Re: IIS and URLScan

    • 

  • Next by thread:
NullPropertyException thrown, even though property allows null

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •