URLScan and percent signs

Posted by Hobbes on Stack Overflow See other posts from Stack Overflow or by Hobbes
Published on 2010-05-13T15:40:42Z Indexed on 2010/05/13 15:44 UTC
Read the original article Hit count: 436

Filed under:

iis

|

urlscan

|

percent

|

security

|

escape

So I just ran into a stupid problem in which users could not download files that had a percent sign in it. It wound up being URLScan. I had to un-set two things in urlscan.ini:

1) Set VerifyNormalization to 0 (disabled)
2) Remove the percent sign from the "DenyUrlSequences" section

Do an iisreset, and it problem solved. But the big question is: How much of a security risk is this?

© Stack Overflow or respective owner

Related posts about iis

How to find and fix issue with Pound and HAProxy

as seen on Server Fault - Search for 'Server Fault'
Pound sits in front of HAProxy (on the same box) to perform SSL off-load. Requests are passed to 127.0.0.1:80 where HAProxy then balances the requests across backend servers for a hosted ASP .NET web app. A user is getting HTTP error 500 (Internal Server Error) returned to their browser this morning… >>> More
How to migrate deploy RESTful WCF Web Service from IIS 6.0 to IIS 7.0

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi all, I have a WCF Restful Web Service. It works find under VS and IIS 6.0. Now I want to move it to another work station with IIS 7.0 on it. I tried to copy all the deploy file from IIS 6 to IIS 7, but it cannot be accessed by other client, except for the request from it's own machine. I don't… >>> More
Server with IIS and Apache - how to SSL encrypt Apache with IIS

as seen on Server Fault - Search for 'Server Fault'
I have a Windows Server 2003 box already setup and working with IIS 6. IIS is set to serve a site out over both HTTP and HTTPS connections using default ports. For various reasons I need to set Apache up on the same server and it needs to serve its pages to end-users as SSL encrypted HTTPS pages… >>> More
Having IIS remote management problem with my vista machine managing Server 2008 IIS 7.5

as seen on Server Fault - Search for 'Server Fault'
I am trying to use IIS 7 Remote Management installed on Vista Ultimate SP1. Connection is to IIS 7.5 on Windows Server 2008 Webserver R2. Tried on both full & core install. When I connect up, the console wants to download and install new features. Microsoft.Web.Management.IisClient 7.5.0.0 Microsoft… >>> More
MVC4 App opens with directory listing and gives a 404 for any direct URL's entered in the browser

as seen on Pro Webmasters - Search for 'Pro Webmasters'
I've just deployed a previously (on my local IIS) working MVC4 app to IIS 7.5 on the dev server. After tweaking this and that - one knows how these things get forgotten - the app finally launches, but shows a directory listing of the app root. Clicking on most links there works, opening the directory… >>> More

Related posts about urlscan

IIS 7.5 Request Filtering logs versus UrlScan 3.1

as seen on Server Fault - Search for 'Server Fault'
When IIS 7.5 Request Filtering blocks a request it seems to add an entry into the regular IIS web logs with a 404. a) Is there any way to send the detailed Request Filtering logs to a separate file? UrlScan could specify LoggingDirectory and keep this "noise" out of our real IIS logs b) Also, is… >>> More
Urlscan 3.1 block User Agent

as seen on Stack Overflow - Search for 'Stack Overflow'
I need to block requests from certain User Agents to our Sharepoint Environment that have been identified after going through the IIS logs. I have tried the below by amending the urlscan.ini config file and doing and iisreset, but it doesn't block anything. Am I entering the correct strings? I'm… >>> More
URLScan and percent signs

as seen on Stack Overflow - Search for 'Stack Overflow'
So I just ran into a stupid problem in which users could not download files that had a percent sign in it. It wound up being URLScan. I had to un-set two things in urlscan.ini: 1) Set VerifyNormalization to 0 (disabled) 2) Remove the percent sign from the "DenyUrlSequences" section Do an… >>> More
IIS can't serve files with accents and spaces in file names

as seen on Server Fault - Search for 'Server Fault'
My server recently stopped serve files with accents and spaces in filename. and example [http://jf-monteabraao.pt/UserFiles/File/OP%C3%87%C3%95ES%20DO%20PLANO%20-%20OR%C3%87AMENTO%202010.pdf][1] I not installed anything except urlscan but i seeing urlscan.ini and don't find any reference to… >>> More
Block specific User-Agent in IIS 6.0

as seen on Stack Overflow - Search for 'Stack Overflow'
Is it possible to block a specific User-Agent in IIS 6.0 without installing urlscan on the server? >>> More