Fixing IIS 6 issue with semi-colon
In an earlier post I talked about the semi-colon issue and since then we have published a KB article 979124 on how to configure uploads for web applications in IIS as well. To complete the story I wanted to do a quick write-up on how to go about fixing your server configuration to avoid this issue.
Step 1: Block incoming malicious requests using UrlScan
This is a stopgap solution to keep your server running while you fix the configuration issue. The simplest solution is to disallow semi-colons in your URL. Please refer to the Using UrlScan article on installing and configuring the tool. The specific piece of configuration you want to add to the urlscan.ini file is the value 0x3B in the [DenyUrlSequences] section. 0x3B is the character value for the semi-colon character.
Step 2: Identify and modify incorrectly configured upload directories
There are multiple ways that your upload directories could be misconfigured depending on how you configure isolation for your site (metabase ACLs vs. NTFS ACLs). In case you are using metabase ACLs, what we need to identify here are all the paths that have both Write and Script flags set on the AccessFlags metabase property and remove the script flag. Here’s a sample script that will find all such paths and fix them for a server. Please take a look at the output of the script to see the paths where script permissions were removed and make sure they are indeed upload paths.
' File: RemoveScriptPermissions.vbs
' Copyright Microsoft Corp. 2010
' Author: Nazim Lala
'
' This script will remove script permissions from AccessFlags for all
' paths on the local server that has both write(MD_ACCESS_WRITE) and
' script(MD_ACCESS_SCRIPT) permissions. You can optionally specify
' a remote server name to perform this operation on.
'
' Usage:
' cscript RemoveScriptPermissions.vbs [RemoteServerName]
'
' NOTE: THIS SCRIPT IS FOR USE WITH IIS6 ONLY (WINDOWS SERVER 2003)
'
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
OPTION EXPLICIT
DIM strServer, strBindings
DIM objWebService, objWebServer, objDir
IF WScript.Arguments.Length = 1 THEN
strServer = WScript.Arguments( 0 )
ELSE
strServer = "localhost"
END IF
SET objWebService = GetObject( "IIS://" & strServer & "/W3SVC" )
' Enumerate websites on the server
FOR EACH objWebServer IN objWebService
IF objWebserver.Class = "IIsWebServer" THEN
EnumAndFixDirectories(objWebServer)
END IF
NEXT
SUB EnumAndFixDirectories(objDir)
DIM objSubDir
FixScriptAndWrite(objDir)
FOR EACH objSubDir IN objDir
IF (objSubDir.Class = "IIsWebVirtualDir" OR _
objSubDir.Class = "IIsWebDirectory") THEN
EnumAndFixDirectories(objSubDir)
END IF
NEXT
END SUB
SUB FixScriptAndWrite(objDir)
IF (objDir.AccessWrite = True AND objDir.AccessScript = True) THEN
WScript.Echo "Fixing: " & objDir.AdsPath
objDir.Put "AccessScript", False
objDir.SetInfo
END IF
END SUB
Step 3: Remove UrlScan filtering for semi-colons
After you have confirmed that all affected configuration has been updated, go and remove the semicolon (0x3B) from the [DenyUrlSequences] entry in urlscan.ini.