[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[port139:00751] Re: URLScan $B$N(B [DenyUrlSequences]

To: port139@xxxxxxxxxxxxx
Subject: [port139:00751] Re: URLScan $B$N(B [DenyUrlSequences]
From: Hideaki Ihara <hideaki@xxxxxxxxxxxxx>
Date: Mon, 22 Oct 2001 16:01:46 +0900

Port139 $B0K86$G$9!#(B
(B
(BHideaki Ihara $B$5$s$O=q$-$^$7$?(B:
(B>$B$H$7$F$b(B URLscan $B$,5qH]$7$J$$$N$G!"(B? $B0J9_$NJ8;zNs$r%A%'%C%/BP>]$K$7$F(B
(B>$B$$$J$$$H;W$o$l$^$9!#(B
(B
$B$H$$$&$3$H$G!"$3$N7o$K$D$$$F(B secure@xxxxxxxxxxxxx $B$+$iJVEz$,(B
$B$"$j$^$7$?!#(B
$B7kO@$+$i$$$/$H!"(BURLscan $B$G$O%/%(%jJ8;zNs$K$D$$$F$O8!::BP>]$K(B
$B$J$i$J$$$C$F$3$H$_$?$$$G$9$M!#(B
$B!t(BKB $B$K>\$7$/=q$$$F$*$$$FM_$7$$$>(B
(B
(B-----Original Message-----
(BFrom: Microsoft Security Response Center 
(BSent: Thursday, October 18, 2001 6:29 PM
(BTo: 'Hideaki Ihara'
(BCc: Microsoft Security Response Center
(BSubject: RE: URLscan [DenyUrlSequences] [msrc lt]
(B
(B
(BHi,
(B
(BThank you very much for your note.  We really appreciate the feedback.
(B
(BUrlScan does care about the whole URL.  However, it *does not* care
(Babout the query string.
(B
(BEach of the examples below demonstrates something in the query string
(Bthat the customer is expecting to be rejected.  Specifically, it looks
(Blike the customer is trying to use UrlScan to deal with IE's cross site
(Bscripting problems.  This is a problem that cannot be reasonably fixed
(Bin any kind of filter running on the server (this is a scenario that IE
(Bhas enabled, and they are the only ones that can truly fix it).
(B
(BSpecifically, UrlScan (and even IIS itself) does not canonicalize or
(Bprocess the query string because the data contained there is private to
(Bthe target of the URL.  If we were to modify it in any way, it could
(Bresult in unpredicatable behavior by whatever component is processing
(Bit.  There is no specification or set of rules to which it must conform
(B(except that it cannot contain a space or NULL).  Finally, if an
(Battacker really wanted to exploit IE's cross site scripting
(Bvulnerability, they could simply change their request from a GET to a
(BPOST and include the problem string in the entity body, where it would
(Bbe safely out of reach of UrlScan or any other filter.  Any suggestion
(Bthat *anything* in IIS can fix this client problem will result in a
(Bfalse sense of security.
(B
(BIf you have additional feedback or feel that we have missed something,
(Bplease let us know.  Your feedback is important.
(B
(BAgain, thank you very much for your email and I hope that this helps to
(Banswer your question.
(B
(BRegards,
(B
(BSecure@xxxxxxxxxxxxx
(B
(B
(B---
(B
(BHideaki Ihara <hideaki@xxxxxxxxxxxxx>
(BPort139 URL: http://www.port139.co.jp/
(BPGP PUBLIC KEY: http://www.port139.co.jp/pgp/

References:
- [port139:00737] URLScan $B$N(B [DenyUrlSequences]
  - From: Hideaki Ihara

Prev by Date: [port139:00750] Re: NoLMHash
Next by Date: [port139:00752] Hotfix $B$N:FE,MQ(B
Previous by thread: [port139:00737] URLScan $B$N(B [DenyUrlSequences]
Next by thread: [port139:00742] $B%^%$%/%m%=%U%H(B $B%;%-%e%j%F%#(B $B%D!<%k(B $B%-(J$B%C%H(B : $B%7%9%F(J$B%`$X$NHo32>u67$N3NG'(B
Index(es):
- Date
- Thread

[port139:00751] Re: URLScan $B$N(B [DenyUrlSequences]

[port139:00751] Re: URLScan $B$N(B [DenyUrlSequences]