« Previous Next »

• 11-03-2008, 2:30 PM

  wadeh Joined on 04-19-2005, 10:17 PM Posts 112

  UrlScan 3.1 Released Locked Reply Contact The UrlScan team would like to announce the release of UrlScan 3.1. This release adds a new scanning feature to detect and block unescaped '%' characters in various parts of the request.  The reason for the new feature is to help address a new SQL injection variation that's been seen by our security team.  I've written a blog entry that describes this new variation and how to block it. In addition to this new feature, we have fixed the following bugs: Certain encoded characters don't filter properly in UrlScan 3.0 Query string filtering may not work properly on IIS 5.1 Finally, we have changed the behavior of the [AlwaysAllowedUrls] section.  In UrlScan 3.0, URLs listed in this section are exempt from URL-based checks by UrlScan.  Effective with UrlScan 3.1, URLs listed in this section are exempt from all UrlScan checks.  This change makes it possible to set up stricter UrlScan rules for the query string and other parts of the request, and then use [AlwaysAllowedUrls] for pages that are known to be safe to run. The  UrlScan team recommends that anyone using UrlScan update to this latest version.  Downloads are available the following locations UrlScan 3.1 for x86 UrlScan 3.1 for x64 Support for UrlScan 3.1 is available through normal product support channels.  Also, please feel free to discuss UrlScan on this forum.  As always, the product group reads everything posted here. Thanks, -Wade