|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Filtering Query StringI have a client site who runs IIS5 as his web server with Filemaker 6 as there backend database. There is a major security flaw with the Filemaker web publishing engine and with a simple url string (e.g. fmpro?-format=-dso_xml&-dbnames) you can then view all the published databases, then you can drill down and view and execute the scripts in the database and you can view all the data stored in the database. What I would like to do is filter the query string, so each time dso_xml is found in the URL I would like to redirect to a 404 page. I have looked at URLScan but I can't seem to get it to filter my url strings. Can anyone give me any suggestions? TIA PS. Upgrading to Filemaker 8 is a major project and will take months to complete as the whole database system has been rebuilt and switching database products will not happen. You need an ISAPI re-writing tool. This would allow you to redirect on the
fly when you see a particular regular expression. There are a lot around - some free, some commercial. See http://blog.crowe.co.nz/category/19.aspx -- Show quoteHide quoteCheers Chris Crowe [IIS MVP 1997 -> 2006] http://blog.crowe.co.nz ------------------------------------------------ "West, I" <iain_wes***@hotmail.com> wrote in message news:Oli%23LU1mGHA.2256@TK2MSFTNGP04.phx.gbl... > Hi, > > I have a client site who runs IIS5 as his web server with Filemaker 6 as > there backend database. > > There is a major security flaw with the Filemaker web publishing engine > and with a simple url string (e.g. fmpro?-format=-dso_xml&-dbnames) you > can then view all the published databases, then you can drill down and > view and execute the scripts in the database and you can view all the data > stored in the database. > > What I would like to do is filter the query string, so each time dso_xml > is found in the URL I would like to redirect to a 404 page. I have looked > at URLScan but I can't seem to get it to filter my url strings. > > Can anyone give me any suggestions? > > TIA > > PS. Upgrading to Filemaker 8 is a major project and will take months to > complete as the whole database system has been rebuilt and switching > database products will not happen. > > Thanks, downloaded mod_rewrite and got in working how I wanted in minutes!
Thanks again. Show quoteHide quote "Chris Crowe [MVP 1997 -> 2006]" <IISMVP2***@iisfaq.homeip.net> wrote in message news:ODQ5sK2mGHA.976@TK2MSFTNGP03.phx.gbl... > You need an ISAPI re-writing tool. This would allow you to redirect on the > fly when you see a particular regular expression. > > There are a lot around - some free, some commercial. > > See http://blog.crowe.co.nz/category/19.aspx > > -- > > Cheers > > Chris Crowe [IIS MVP 1997 -> 2006] > http://blog.crowe.co.nz > ------------------------------------------------ > > > "West, I" <iain_wes***@hotmail.com> wrote in message > news:Oli%23LU1mGHA.2256@TK2MSFTNGP04.phx.gbl... >> Hi, >> >> I have a client site who runs IIS5 as his web server with Filemaker 6 as >> there backend database. >> >> There is a major security flaw with the Filemaker web publishing engine >> and with a simple url string (e.g. fmpro?-format=-dso_xml&-dbnames) you >> can then view all the published databases, then you can drill down and >> view and execute the scripts in the database and you can view all the >> data stored in the database. >> >> What I would like to do is filter the query string, so each time dso_xml >> is found in the URL I would like to redirect to a 404 page. I have >> looked at URLScan but I can't seem to get it to filter my url strings. >> >> Can anyone give me any suggestions? >> >> TIA >> >> PS. Upgrading to Filemaker 8 is a major project and will take months to >> complete as the whole database system has been rebuilt and switching >> database products will not happen. >> >> > > I'm not saying that your solution does not work; I am simply pointing out
the relevant security detail. In general, what you are trying to do does NOT work. See the blog entry for details: http://blogs.msdn.com/david.wang/archive/2005/07/18/Why_URLScan_ignores_querystring_for_DenyUrlSequences.aspx Without knowing EXACTLY how the querystring is decoded by the application, you cannot correctly filter it. This is the classic problem with filtering -- you must reach canonical (or normalized) form before applying logical filtering to make it effective, and without a specification detailing how to reach canonical form, filtering is useless because it can be bypassed. For example, what happens if "_" is %-decoded or UTF8-decoded by the application. It can escape your filtering but still affect the application. Sure, you can filter on those forms, but that is non-scalable complexity. Of course, you can reach suitably constrained and localized solutions, but please do not mistake it as the right solution. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "West, I" <iain_wes***@hotmail.com> wrote in message news:%23SPrkZ4mGHA.200@TK2MSFTNGP03.phx.gbl... > Thanks, downloaded mod_rewrite and got in working how I wanted in minutes! > Thanks again. > > > "Chris Crowe [MVP 1997 -> 2006]" <IISMVP2***@iisfaq.homeip.net> wrote in > message news:ODQ5sK2mGHA.976@TK2MSFTNGP03.phx.gbl... >> You need an ISAPI re-writing tool. This would allow you to redirect on >> the fly when you see a particular regular expression. >> >> There are a lot around - some free, some commercial. >> >> See http://blog.crowe.co.nz/category/19.aspx >> >> -- >> >> Cheers >> >> Chris Crowe [IIS MVP 1997 -> 2006] >> http://blog.crowe.co.nz >> ------------------------------------------------ >> >> >> "West, I" <iain_wes***@hotmail.com> wrote in message >> news:Oli%23LU1mGHA.2256@TK2MSFTNGP04.phx.gbl... >>> Hi, >>> >>> I have a client site who runs IIS5 as his web server with Filemaker 6 as >>> there backend database. >>> >>> There is a major security flaw with the Filemaker web publishing engine >>> and with a simple url string (e.g. fmpro?-format=-dso_xml&-dbnames) you >>> can then view all the published databases, then you can drill down and >>> view and execute the scripts in the database and you can view all the >>> data stored in the database. >>> >>> What I would like to do is filter the query string, so each time dso_xml >>> is found in the URL I would like to redirect to a 404 page. I have >>> looked at URLScan but I can't seem to get it to filter my url strings. >>> >>> Can anyone give me any suggestions? >>> >>> TIA >>> >>> PS. Upgrading to Filemaker 8 is a major project and will take months to >>> complete as the whole database system has been rebuilt and switching >>> database products will not happen. >>> >>> >> >> > > 
Other interesting topics
Is there a way to avoid/security alert box from redirecting to HTTP to HTTPS?
Can Somone Tell Me If We Have a Hacker? A little help (kerberos, netbios, and SPN... oh my!) login problem with iis and webdav. security error in IIS logs (401.2 error) Keeping a particular intruder out The IIS service does not seem to be serving up .asmx or .asp pages New HTTPS web site and certificate installation file security/authentication IIS5: Renew certificate |
|||||||||||||||||||||||
