Hello

I am using ASP.NET v1.1, IIS 5.0, URL Scan (URL Scann DLL Version
6.0.3615.0).

I use server side variable in .aspx pages as follows:

Say in '/VirDir/SubDir/Login.aspx' page - I have the following image:

<img src="<%=mapPath%>/img/icons/logo.gif"> - Where mapPath is the
server variable to hold my virtual Directory Name - VirDir.

I find the following entry in URL Scan Log:
[09-01-2005 - 14:00:37] Client at 127.0.0.1: URL contains sequence '%',
which is disallowed. Request will be rejected. Site Instance='1', Raw
URL='/VirDir/SubDir/<%=mapPath%>/img/icons/logo.gif'

I could not reproduce this issue again - But it happened several times
in the past. The '/VirDir/SubDir/Login.aspx' page looks fine with the
image whenever i hit it.

Any clues here will be of great help!

Here is my URL Scan.ini:

----------------------------------------------------------
[options]
UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else
use [DenyVerbs] section
UseAllowExtensions=0 ; if 1, use [AllowExtensions] section,
else use [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before
processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and
reject request if a change occurs
AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or
MBCS) characters in URL
AllowDotInPath=0 ; if 1, allow dots that are not file
extensions
RemoveServerHeader=0 ; if 1, remove "Server" header from
response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will
contain a PID (ie. UrlScan.123.log)
AllowLateScanning=1 ; if 1, then UrlScan will load as a low
priority filter.
PerDayLogging=1 ; if 1, UrlScan will produce a new log
each day with activity in the form UrlScan.010101.log
RejectResponseUrl= ; UrlScan will send rejected requests to
the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0 ; If 1, then UrlScan will not use the
RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=

LogLongUrls=1 ; If 1, then up to 128K per request can
be logged.
; If 0, then only 1k is allowed.

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created. This value should be the absolute path
; (ie. c:\some\path). If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=C:\LogFiles

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST
OPTIONS
DEBUG

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;

PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
SEARCH

[DenyHeaders]

;
; Request headers listed in this section will cause UrlScan to
; reject any request in which they are present.
;
; Headers should be listed in the form
; Header-Name:
;

If:
Lock-Token:

;Transfer-Encoding:
Transfer-Encoding:
[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

..asp
..cer
..cdx
..asa
..htm
..html
..txt
..jpg
..jpeg
..gif

;.idq
;.htw
;.ida
;.idc
;.shtm
;.shtml
;.stm
;.htr
;.printer
;.idq
;.htw
;.ida
;.idc
;.shtm
;.shtml
;.stm
;.htr
;.printer
[DenyExtensions]

;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;

; Deny executables that could run on the server
..exe
..bat
..cmd
..com

; Deny infrequently used scripts
..htw ; Maps to webhits.dll, part of Index Server
..ida ; Maps to idq.dll, part of Index Server
..idq ; Maps to idq.dll, part of Index Server
..htr ; Maps to ism.dll, a legacy administrative tool
..idc ; Maps to httpodbc.dll, a legacy database access tool
..shtm ; Maps to ssinc.dll, for Server Side Includes
..shtml ; Maps to ssinc.dll, for Server Side Includes
..stm ; Maps to ssinc.dll, for Server Side Includes
..printer ; Maps to msw3prt.dll, for Internet Printing Services

; Deny various static files
..ini ; Configuration files
..log ; Log files
..pol ; Policy files
..dat ; Configuration files

;.asp
;.cer
;.cdx
;.asa
;.asp
;.cer
;.cdx
;.asa
[DenyUrlSequences]
... ; deny directory traversals
../ ; deny trailing dot on a directory name
\ ; deny backslashes in URL
: ; deny alternate stream access
% ; deny escaping after normalization
& ; deny multiple CGI processes to run on a single request
/fpdb/ ; deny browse access to FrontPage database files
/_private ; deny FrontPage private files (often form results)
/_vti_pvt ; deny FrontPage Web configuration files
/_vti_cnf ; deny FrontPage metadata files
/_vti_txt ; deny FrontPage text catalogs and indices
/_vti_log ; deny FrontPage authoring log files

[RequestLimits]

;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max-" to the
; name of the header. For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Content-Type' header:
;
; Max-Content-Type=100
;
; To list a header and not specify a maximum value, use 0
; (ie. 'Max-User-Agent=0'). Also, any headers not listed
; in this section will not be checked for length limits.
;
; There are 3 special case limits:
;
; - MaxAllowedContentLength specifies the maximum allowed
; numeric value of the Content-Length request header. For
; example, setting this to 1000 would cause any request
; with a content length that exceeds 1000 to be rejected.
; The default is 30000000.
;
; - MaxUrl specifies the maximum length of the request URL,
; not including the query string. The default is 260 (which
; is equivalent to MAX_PATH).
;

Nothing looks wrong with URLScan/ServerVariables to me.

If URLScan is configured to block %-character and it shows up in the
requested URL by the client, then it should be rejected.

You should be looking at *why* the mapPath variable in:
<img src="<%=mapPath%>/img/icons/logo.gif">

is not being resolved/substituted prior to being sent back as a response --
because that failure is what is causing the browser to subsequently make a
request to a URL that contains a %-character which is correctly rejected by
URLScan

If I have to guess, it sounds like sometimes your ASP.Net page does NOT get
processed as an ASP.Net page and was randomly working as a plain HTML page
before... but not anymore.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hello

I am using ASP.NET v1.1, IIS 5.0, URL Scan (URL Scann DLL Version
6.0.3615.0).

I use server side variable in .aspx pages as follows:

Say in '/VirDir/SubDir/Login.aspx' page - I have the following image:

<img src="<%=mapPath%>/img/icons/logo.gif"> - Where mapPath is the
server variable to hold my virtual Directory Name - VirDir.

I find the following entry in URL Scan Log:
[09-01-2005 - 14:00:37] Client at 127.0.0.1: URL contains sequence '%',
which is disallowed. Request will be rejected. Site Instance='1', Raw
URL='/VirDir/SubDir/<%=mapPath%>/img/icons/logo.gif'

I could not reproduce this issue again - But it happened several times
in the past. The '/VirDir/SubDir/Login.aspx' page looks fine with the
image whenever i hit it.

Any clues here will be of great help!

Here is my URL Scan.ini:

----------------------------------------------------------
[options]
UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else
use [DenyVerbs] section
UseAllowExtensions=0 ; if 1, use [AllowExtensions] section,
else use [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before
processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and
reject request if a change occurs
AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or
MBCS) characters in URL
AllowDotInPath=0 ; if 1, allow dots that are not file
extensions
RemoveServerHeader=0 ; if 1, remove "Server" header from
response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will
contain a PID (ie. UrlScan.123.log)
AllowLateScanning=1 ; if 1, then UrlScan will load as a low
priority filter.
PerDayLogging=1 ; if 1, UrlScan will produce a new log
each day with activity in the form UrlScan.010101.log
RejectResponseUrl= ; UrlScan will send rejected requests to
the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0 ; If 1, then UrlScan will not use the
RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
AlternateServerName=

LogLongUrls=1 ; If 1, then up to 128K per request can
be logged.
; If 0, then only 1k is allowed.

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created. This value should be the absolute path
; (ie. c:\some\path). If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=C:\LogFiles

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST
OPTIONS
DEBUG

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;

PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
SEARCH

[DenyHeaders]

;
; Request headers listed in this section will cause UrlScan to
; reject any request in which they are present.
;
; Headers should be listed in the form
; Header-Name:
;

If:
Lock-Token:

;Transfer-Encoding:
Transfer-Encoding:
[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

..asp
..cer
..cdx
..asa
..htm
..html
..txt
..jpg
..jpeg
..gif

;.idq
;.htw
;.ida
;.idc
;.shtm
;.shtml
;.stm
;.htr
;.printer
;.idq
;.htw
;.ida
;.idc
;.shtm
;.shtml
;.stm
;.htr
;.printer
[DenyExtensions]

;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;

; Deny executables that could run on the server
..exe
..bat
..cmd
..com

; Deny infrequently used scripts
..htw ; Maps to webhits.dll, part of Index Server
..ida ; Maps to idq.dll, part of Index Server
..idq ; Maps to idq.dll, part of Index Server
..htr ; Maps to ism.dll, a legacy administrative tool
..idc ; Maps to httpodbc.dll, a legacy database access tool
..shtm ; Maps to ssinc.dll, for Server Side Includes
..shtml ; Maps to ssinc.dll, for Server Side Includes
..stm ; Maps to ssinc.dll, for Server Side Includes
..printer ; Maps to msw3prt.dll, for Internet Printing Services

; Deny various static files
..ini ; Configuration files
..log ; Log files
..pol ; Policy files
..dat ; Configuration files

;.asp
;.cer
;.cdx
;.asa
;.asp
;.cer
;.cdx
;.asa
[DenyUrlSequences]
... ; deny directory traversals
../ ; deny trailing dot on a directory name
\ ; deny backslashes in URL
: ; deny alternate stream access
% ; deny escaping after normalization
& ; deny multiple CGI processes to run on a single request
/fpdb/ ; deny browse access to FrontPage database files
/_private ; deny FrontPage private files (often form results)
/_vti_pvt ; deny FrontPage Web configuration files
/_vti_cnf ; deny FrontPage metadata files
/_vti_txt ; deny FrontPage text catalogs and indices
/_vti_log ; deny FrontPage authoring log files

[RequestLimits]

;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the

Hi David,

Yeah - I see what you mean.

I tried:

Having a HTML page with this server side variable to check how it is
logged. URL Scan logs it as:

Client at 127.0.0.1: URL contains sequence '%',
which is disallowed. Request will be rejected. Site Instance='1', Raw
URL='/<%=mapPath%>/img/icons/logo.gif'

Note that "/VirDir/SubDir" is missing here as opposed to same kind of
logging ASP.NET page with Server Variables.

I also have IISLockdown installed which maps HTML files to 404.dll but
ASPX is mapped very much to aspnet_isapi.dll.

I also got same kind of logging from a box which does not have Visual
studio .NET in it - so that rules out VS.NET doing some trick while
running via VS.NET

Iam not sure when IIS will stop processing ASP.NET as ASP.NET and throw
server side code to client!!! Is this due to load? Can I track this
using IIS Logs?

[quoted text, click to view]

That is expected and by design. HTML page would not have any processing, so
the URL should be as-is, and that is exactly what the browser requested and
URLScan denied. Nothing looks wrong here other.

But I'm not certain what you are trying to prove with this because it
doesn't prove anything.


[quoted text, click to view]

I doubt load has anything to do with it, and I doubt IIS logs will help --
log file is meant to track results of request processing (this is what
people want in log files), not debug tracing of request execution and what
steps were taken (this is what people want when they are trying to
troubleshoot server-behavior).

It seems that somewhere in there, ASP.Net fails to correctly process the
page. That would have nothing to do with IIS nor URLScan -- you should be
able to reproduce your situation WITHOUT URLScan running (since the
unprocessed IMG tag will result in the same 404 that URLScan will send -- so
from browser perspective, the two behaviors are the same).

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hi David,

Yeah - I see what you mean.

I tried:

Having a HTML page with this server side variable to check how it is
logged. URL Scan logs it as:

Client at 127.0.0.1: URL contains sequence '%',
which is disallowed. Request will be rejected. Site Instance='1', Raw
URL='/<%=mapPath%>/img/icons/logo.gif'

Note that "/VirDir/SubDir" is missing here as opposed to same kind of
logging ASP.NET page with Server Variables.

I also have IISLockdown installed which maps HTML files to 404.dll but
ASPX is mapped very much to aspnet_isapi.dll.

I also got same kind of logging from a box which does not have Visual
studio .NET in it - so that rules out VS.NET doing some trick while
running via VS.NET

Iam not sure when IIS will stop processing ASP.NET as ASP.NET and throw
server side code to client!!! Is this due to load? Can I track this
using IIS Logs?

David,

I was confirming that it is not a log produced by HTML page - where due
to some strange reason - Server side tags was added! :-)


[quoted text, click to view]


[quoted text, click to view]


That is expected and by design. HTML page would not have any
processing, so
the URL should be as-is, and that is exactly what the browser requested
and
URLScan denied. Nothing looks wrong here other.

But I'm not certain what you are trying to prove with this because it
doesn't prove anything.


[quoted text, click to view]