Fixing IIS 6 issue with semi-colon

Friday, January 15, 2010

IIS6 UrlScan

In an earlier post I talked about the semi-colon issue and since then we have published a KB article 979124 on how to configure uploads for web applications in IIS as well. To complete the story I wanted to do a quick write-up on how to go about fixing your server configuration to avoid this issue.

Step 1: Block incoming malicious requests using UrlScan

This is a stopgap solution to keep your server running while you fix the configuration issue. The simplest solution is to disallow semi-colons in your URL. Please refer to the Using UrlScan article on installing and configuring the tool. The specific piece of configuration you want to add to the urlscan.ini file is the value 0x3B in the [DenyUrlSequences] section. 0x3B is the character value for the semi-colon character.

Step 2: Identify and modify incorrectly configured upload directories

There are multiple ways that your upload directories could be misconfigured depending on how you configure isolation for your site (metabase ACLs vs. NTFS ACLs). In case you are using metabase ACLs, what we need to identify here are all the paths that have both Write and Script flags set on the AccessFlags metabase property and remove the script flag. Here’s a sample script that will find all such paths and fix them for a server. Please take a look at the output of the script to see the paths where script permissions were removed and make sure they are indeed upload paths.

' File: RemoveScriptPermissions.vbs
' Copyright Microsoft Corp. 2010
' Author: Nazim Lala
'
' This script will remove script permissions from AccessFlags for all
' paths on the local server that has both write(MD_ACCESS_WRITE) and
' script(MD_ACCESS_SCRIPT) permissions. You can optionally specify
' a remote server name to perform this operation on.
'
' Usage:
'      cscript RemoveScriptPermissions.vbs [RemoteServerName]
'
' NOTE: THIS SCRIPT IS FOR USE WITH IIS6 ONLY (WINDOWS SERVER 2003)
'
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

OPTION EXPLICIT

DIM strServer, strBindings
DIM objWebService, objWebServer, objDir

IF WScript.Arguments.Length = 1 THEN
    strServer = WScript.Arguments( 0 )
ELSE
    strServer = "localhost"
END IF

SET objWebService = GetObject( "IIS://" & strServer & "/W3SVC" )

' Enumerate websites on the server
FOR EACH objWebServer IN objWebService
    IF objWebserver.Class = "IIsWebServer" THEN
        EnumAndFixDirectories(objWebServer)
    END IF
NEXT

SUB EnumAndFixDirectories(objDir)
    DIM objSubDir

    FixScriptAndWrite(objDir)
    FOR EACH objSubDir IN objDir
        IF (objSubDir.Class = "IIsWebVirtualDir" OR _
            objSubDir.Class = "IIsWebDirectory") THEN
            EnumAndFixDirectories(objSubDir)
        END IF
    NEXT
END SUB

SUB FixScriptAndWrite(objDir)
    IF (objDir.AccessWrite = True AND objDir.AccessScript = True) THEN
        WScript.Echo "Fixing: " & objDir.AdsPath
        objDir.Put "AccessScript", False
        objDir.SetInfo
    END IF
END SUB

Step 3: Remove UrlScan filtering for semi-colons

After you have confirmed that all affected configuration has been updated, go and remove the semicolon (0x3B) from the [DenyUrlSequences] entry in urlscan.ini.

Step 1: Block incoming malicious requests using UrlScan

Step 2: Identify and modify incorrectly configured upload directories

Step 3: Remove UrlScan filtering for semi-colons

No Comments