Fixing IIS 6 issue with semi-colon

In an earlier post I talked about the semi-colon issue and since then we have published a KB article 979124 on how to configure uploads for web applications in IIS as well. To complete the story I wanted to do a quick write-up on how to go about fixing your server configuration to avoid this issue.

Step 1: Block incoming malicious requests using UrlScan

This is a stopgap solution to keep your server running while you fix the configuration issue. The simplest solution is to disallow semi-colons in your URL. Please refer to the Using UrlScan article on installing and  configuring the tool. The specific piece of configuration you want to add to the urlscan.ini file is the value 0x3B in the [DenyUrlSequences] section. 0x3B is the character value for the semi-colon character.

Step 2: Identify and modify incorrectly configured upload directories

There are multiple ways that your upload directories could be misconfigured depending on how you configure isolation for your site (metabase ACLs vs. NTFS ACLs). In case you are using metabase ACLs, what we need to identify here are all the paths that have both Write and Script flags set on the AccessFlags metabase property and remove the script flag. Here’s a sample script that will find all such paths and fix them for a server. Please take a look at the output of the script to see the paths where script permissions were removed and make sure they are indeed upload paths.

'  File: RemoveScriptPermissions.vbs 
'  Copyright Microsoft Corp. 2010 
'  Author: Nazim Lala 

'  This script will remove script permissions from AccessFlags for all 
'  paths on the local server that has both write(MD_ACCESS_WRITE) and 
'  script(MD_ACCESS_SCRIPT) permissions. You can optionally specify
'  a remote server name to perform this operation on.

'  Usage: 
'      cscript RemoveScriptPermissions.vbs [RemoteServerName]
'
' NOTE: THIS SCRIPT IS FOR USE WITH IIS6 ONLY (WINDOWS SERVER 2003)

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

OPTION EXPLICIT

DIM strServer, strBindings
DIM objWebService, objWebServer, objDir

IF WScript.Arguments.Length = 1 THEN
   
strServer = WScript.Arguments( 0 )
ELSE
   
strServer = "localhost"
END IF

SET objWebService = GetObject( "IIS://" & strServer & "/W3SVC" )

' Enumerate websites on the server
FOR EACH objWebServer IN objWebService
   
IF objWebserver.Class = "IIsWebServer" THEN
       
EnumAndFixDirectories(objWebServer)
   
END IF
NEXT

SUB EnumAndFixDirectories(objDir)
   
DIM objSubDir
    
   
FixScriptAndWrite(objDir)
   
FOR EACH objSubDir IN objDir
       
IF (objSubDir.Class = "IIsWebVirtualDir"  OR _
           
objSubDir.Class = "IIsWebDirectory") THEN
           
EnumAndFixDirectories(objSubDir)
       
END IF
   
NEXT    
END SUB

SUB FixScriptAndWrite(objDir)
   
IF (objDir.AccessWrite = True AND objDir.AccessScript = True) THEN       
       
WScript.Echo "Fixing: " & objDir.AdsPath
       
objDir.Put "AccessScript", False
       
objDir.SetInfo
   
END IF
END SUB

Step 3: Remove UrlScan filtering for semi-colons

After you have confirmed that all affected configuration has been updated, go and remove the semicolon (0x3B) from the [DenyUrlSequences] entry in urlscan.ini.

No Comments