« Previous Next »

Thread: UrlScan not blocking URL segments

Last post 09-30-2008 2:45 PM by RedCrystal. 0 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (1 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 09-30-2008, 2:45 PM

    • RedCrystal
    • Not Ranked
    • Joined on 05-29-2003, 11:21 AM
    • Elk Grove, CA
    • Posts 8

    UrlScan not blocking URL segments

    Reply Contact

    I'm using UrlScan 3.0 on IIS 6.0 (IIS 7.0 is not an option). 

    I need to block all requests for URLs which contain "NR" as a path segment:

    http://localhost/NR/....

    Here's my UrlScan.ini file (most settings are the defaults, changes are in italics, things I think are significant are in bold):

    [options]
    UseAllowVerbs=1               
    UseAllowExtensions=0          
    NormalizeUrlBeforeScan=1      
    VerifyNormalization=1         
    AllowHighBitCharacters=0      
    AllowDotInPath=0              
    RemoveServerHeader=0          
    EnableLogging=1               
    PerProcessLogging=0           
    AllowLateScanning=0           
    PerDayLogging=1               
    UseFastPathReject=0           
    LogLongUrls=0                 
    UnescapeQueryString=1
    RejectResponseUrl=/FilterRejectUrl
    LoggingDirectory=E:\UrlScan
    AlternateServerName=
    RuleList=BlockCmsNrRule

    [BlockCmsNrRule]
    DenyDataSection=BlockCmsNrRuleSegments
    ScanURL=1

    [BlockCmsNrRuleSegments]
    /NR/

    [RequestLimits]
    MaxAllowedContentLength=30000000
    MaxUrl=260
    MaxQueryString=2048

    [AllowVerbs]
    GET
    HEAD
    POST

    [DenyVerbs]
    PROPFIND
    PROPPATCH
    MKCOL
    DELETE
    PUT
    COPY
    MOVE
    LOCK
    UNLOCK
    OPTIONS
    SEARCH

    [DenyHeaders]
    Translate:
    If:
    Lock-Token:
    Transfer-Encoding:

    [AllowExtensions]
    .htm
    .html
    .txt
    .jpg
    .jpeg
    .gif

    [DenyExtensions]
    .exe
    .bat
    .cmd
    .com

    .htw    
    .ida    
    .idq    
    .htr    
    .idc    
    .shtm   
    .shtml  
    .stm    
    .printer

    .ini    
    .log    
    .pol    
    .dat    
    .config 

    [AlwaysAllowedUrls]

    [DenyUrlSequences]
    .. 
    ./ 
    \  
    :  
    %  
    &  

    [AlwaysAllowedQueryStrings]

    [DenyQueryStringSequences]
    <  
    >  

    The "Common UrlScan Scenarios" page (http://learn.iis.net/page.aspx/476/common-urlscan-scenarios/) says of the rule data section (which I've named [BlockCmsNrRuleSegments]) "This list is case insensitive and allows entering encoded values of the format %XX, where XX are hexadecimal digits."

    This is not quite what I'm encountering. If I use Fiddler to request http://localhost/%6ER/... (which is a valid escaped URL for /NR/ (case sensitive)), the request is indeed blocked (shows up in the log file and everything). But if I request http://localhost/%4Er/... (a valid escaped URL for /nr/ (case-sensitive)), that goes through and I get the resource I'm trying to block.

    Is there a better way to write the rule to make sure clever URL escaping is still blocked? Or just to make sure I can totally block all requests for anything with that path segment? What am I missing?

    Thanks,

    ->AlanM
    Tags:
Page 1 of 1 (1 items)
Microsoft Communities