I'm not saying that your solution does not work; I am simply pointing out
the relevant security detail.
In general, what you are trying to do does NOT work. See the blog entry for
details:
http://blogs.msdn.com/david.wang/archive/2005/07/18/Why_URLScan_ignores_querystring_for_DenyUrlSequences.aspx
Without knowing EXACTLY how the querystring is decoded by the application,
you cannot correctly filter it. This is the classic problem with
filtering -- you must reach canonical (or normalized) form before applying
logical filtering to make it effective, and without a specification
detailing how to reach canonical form, filtering is useless because it can
be bypassed.
For example, what happens if "_" is %-decoded or UTF8-decoded by the
application. It can escape your filtering but still affect the application.
Sure, you can filter on those forms, but that is non-scalable complexity.
Of course, you can reach suitably constrained and localized solutions, but
please do not mistake it as the right solution.
--
//David
IIS
http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view] "West, I" <iain_west78@hotmail.com> wrote in message
news:%23SPrkZ4mGHA.200@TK2MSFTNGP03.phx.gbl...
> Thanks, downloaded mod_rewrite and got in working how I wanted in minutes!
> Thanks again.
>
>
> "Chris Crowe [MVP 1997 -> 2006]" <IISMVP2005@iisfaq.homeip.net> wrote in
> message news:ODQ5sK2mGHA.976@TK2MSFTNGP03.phx.gbl...
>> You need an ISAPI re-writing tool. This would allow you to redirect on
>> the fly when you see a particular regular expression.
>>
>> There are a lot around - some free, some commercial.
>>
>> See
http://blog.crowe.co.nz/category/19.aspx
>>
>> --
>>
>> Cheers
>>
>> Chris Crowe [IIS MVP 1997 -> 2006]
>>
http://blog.crowe.co.nz >> ------------------------------------------------
>>
>>
>> "West, I" <iain_west78@hotmail.com> wrote in message
>> news:Oli%23LU1mGHA.2256@TK2MSFTNGP04.phx.gbl...
>>> Hi,
>>>
>>> I have a client site who runs IIS5 as his web server with Filemaker 6 as
>>> there backend database.
>>>
>>> There is a major security flaw with the Filemaker web publishing engine
>>> and with a simple url string (e.g. fmpro?-format=-dso_xml&-dbnames) you
>>> can then view all the published databases, then you can drill down and
>>> view and execute the scripts in the database and you can view all the
>>> data stored in the database.
>>>
>>> What I would like to do is filter the query string, so each time dso_xml
>>> is found in the URL I would like to redirect to a 404 page. I have
>>> looked at URLScan but I can't seem to get it to filter my url strings.
>>>
>>> Can anyone give me any suggestions?
>>>
>>> TIA
>>>
>>> PS. Upgrading to Filemaker 8 is a major project and will take months to
>>> complete as the whole database system has been rebuilt and switching
>>> database products will not happen.
>>>
>>>
>>
>>
>
>
