|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Re: Does Http.sys block all mobile device requests?( - Devices in the market cannot be changed. - Not possible to get request before http.sys (kernal mode). To strictly conform http spec is very good. But it should be possible to intercept requests! David Wang [Msft] wrote: Show quoteHide quote > *For proper security, servers should only accept proper HTTP
> requests. > Applications that cannot send proper HTTP requests are broken and > should be > fixed. > > There is no way to shut off nor configure request blocking done by > HTTP.SYS. > It is an important part of overall server security. > > The only resolutions I see are: > 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 > over > IIS5) > 2. Open a PSS support case on the behavior and justify a change in > HTTP.SYS > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Hans Olav Stjernholm" <n***@no.no> wrote in message > news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... > Hi! > > I'm using Windows 2003 and IIS 6.0 to host a mobile device > application. I've > migrated over from IIS 5.0. > IIS 6.0 seems to block all incoming requests from mobile devices. > My suspicion is that http.sys blocks these requests because they're > without > user agent or has an illegal \r\n ending in the request. But my > problem is > that I cannot control the requests generated by the mobile devices > using my > app. > > Does anyone know how to shut off or configure the request blocking > done by > http.sys? > Or do I have to go all the way back to windows 2000? > > Any ideas or suggestions are welcome!!! > > PS: > I suspect that http.sys blocks the mobile device requests because > they don't > have user agent in header. > The request headers sent by the mobile devices are as following: > Connection: close > Host=myweb.com:80 > > The Httperr.log looks like this: > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest * -- bertelmonster ------------------------------------------------------------------------ Posted via http://www.webservertalk.com ------------------------------------------------------------------------ View this thread: http://www.webservertalk.com/message349594.html surely you can put a filter before http.sys. isn't that the basis of how
urlscan and other isapi filters work? if nothing else send iis to a different port and write your own proxy to listen on port 80 and fix up requests before forwarding them on to iis. Show quoteHide quote "bertelmonster" <bertelmonster.1nm***@mail.webservertalk.com> wrote in message news:bertelmonster.1nmv52@mail.webservertalk.com... > > Still no solution for this Problem? > ( > > - Devices in the market cannot be changed. > - Not possible to get request before http.sys (kernal mode). > > To strictly conform http spec is very good. But it should be possible > to intercept requests! > > > > David Wang [Msft] wrote: > > *For proper security, servers should only accept proper HTTP > > requests. > > Applications that cannot send proper HTTP requests are broken and > > should be > > fixed. > > > > There is no way to shut off nor configure request blocking done by > > HTTP.SYS. > > It is an important part of overall server security. > > > > The only resolutions I see are: > > 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 > > over > > IIS5) > > 2. Open a PSS support case on the behavior and justify a change in > > HTTP.SYS > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > // > > "Hans Olav Stjernholm" <n***@no.no> wrote in message > > news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... > > Hi! > > > > I'm using Windows 2003 and IIS 6.0 to host a mobile device > > application. I've > > migrated over from IIS 5.0. > > IIS 6.0 seems to block all incoming requests from mobile devices. > > My suspicion is that http.sys blocks these requests because they're > > without > > user agent or has an illegal \r\n ending in the request. But my > > problem is > > that I cannot control the requests generated by the mobile devices > > using my > > app. > > > > Does anyone know how to shut off or configure the request blocking > > done by > > http.sys? > > Or do I have to go all the way back to windows 2000? > > > > Any ideas or suggestions are welcome!!! > > > > PS: > > I suspect that http.sys blocks the mobile device requests because > > they don't > > have user agent in header. > > The request headers sent by the mobile devices are as following: > > Connection: close > > Host=myweb.com:80 > > > > The Httperr.log looks like this: > > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET > > /get.aspx?a=&u=38 400 - BadRequest > > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET > > /get.aspx?a=&u=38 400 - BadRequest > > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET > > /get.aspx?a=&u=38 400 - BadRequest > > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET > > /get.aspx?a=&u=38 400 - BadRequest * > > > > -- > bertelmonster > ------------------------------------------------------------------------ > Posted via http://www.webservertalk.com > ------------------------------------------------------------------------ > View this thread: http://www.webservertalk.com/message349594.html > Hi Dave and bertelmonster,
First off, a user-agent header is not required in any version of HTTP, so http.sys will not reject a request based on that. In looking at the header data below, I see a properly formed connection header, but the line "Host=myweb.com:80" will cause http.sys to fail to find a host header. Since a host header is required for HTTP/1.1, this could cause a 400 response. The correct value of the header should be "Host: myweb.com:80". Also, assuming that this header is just a typo, there could be something outside of just headers that's making the request invalid. It would be necessary to see a capture of the actual raw request in its entirely to say for sure what's wrong. Finally regarding filters, in Worker Process Isolation Mode, David is correct that you cannot intercept the request. UrlScan and other filters work by looking at the request after it's been parsed by http.sys. In IIS 5 Isolation Mode, though, you can write a read raw data filter that sees the raw data stream before http.sys parses it. It would be possible to put IIS into this mode an use such a filter to fix the data stream. This would probably not be an ideal solution, as you would give up the benefits of the new IIS 6 process model. If it's true that the device is really sending a malformed host header, then that would be a very serious defect in the device and you should definitely contact the vendor. Thank you, -Wade A. Hilmo, -Microsoft Show quoteHide quote "Dave" <no***@nowhere.com> wrote in message news:O6eL3V1QFHA.1476@TK2MSFTNGP09.phx.gbl... > surely you can put a filter before http.sys. isn't that the basis of how > urlscan and other isapi filters work? if nothing else send iis to a > different port and write your own proxy to listen on port 80 and fix up > requests before forwarding them on to iis. > > "bertelmonster" <bertelmonster.1nm***@mail.webservertalk.com> wrote in > message news:bertelmonster.1nmv52@mail.webservertalk.com... > > > > Still no solution for this Problem? > > ( > > > > - Devices in the market cannot be changed. > > - Not possible to get request before http.sys (kernal mode). > > > > To strictly conform http spec is very good. But it should be possible > > to intercept requests! > > > > > > > > David Wang [Msft] wrote: > > > *For proper security, servers should only accept proper HTTP > > > requests. > > > Applications that cannot send proper HTTP requests are broken and > > > should be > > > fixed. > > > > > > There is no way to shut off nor configure request blocking done by > > > HTTP.SYS. > > > It is an important part of overall server security. > > > > > > The only resolutions I see are: > > > 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 > > > over > > > IIS5) > > > 2. Open a PSS support case on the behavior and justify a change in > > > HTTP.SYS > > > > > > -- > > > //David > > > IIS > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > // > > > "Hans Olav Stjernholm" <n***@no.no> wrote in message > > > news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... > > > Hi! > > > > > > I'm using Windows 2003 and IIS 6.0 to host a mobile device > > > application. I've > > > migrated over from IIS 5.0. > > > IIS 6.0 seems to block all incoming requests from mobile devices. > > > My suspicion is that http.sys blocks these requests because they're > > > without > > > user agent or has an illegal \r\n ending in the request. But my > > > problem is > > > that I cannot control the requests generated by the mobile devices > > > using my > > > app. > > > > > > Does anyone know how to shut off or configure the request blocking > > > done by > > > http.sys? > > > Or do I have to go all the way back to windows 2000? > > > > > > Any ideas or suggestions are welcome!!! > > > > > > PS: > > > I suspect that http.sys blocks the mobile device requests because > > > they don't > > > have user agent in header. > > > The request headers sent by the mobile devices are as following: > > > Connection: close > > > Host=myweb.com:80 > > > > > > The Httperr.log looks like this: > > > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET > > > /get.aspx?a=&u=38 400 - BadRequest > > > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET > > > /get.aspx?a=&u=38 400 - BadRequest > > > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET > > > /get.aspx?a=&u=38 400 - BadRequest > > > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET > > > /get.aspx?a=&u=38 400 - BadRequest * > > > > > > > > -- > > bertelmonster > > ------------------------------------------------------------------------ > > Posted via http://www.webservertalk.com > > ------------------------------------------------------------------------ > > View this thread: http://www.webservertalk.com/message349594.html > > > > ISAPI filters in IIS 6.0 do not load "before" http.sys. The process
incoming requests AFTER http.sys routes the incoming request to that website. In IIS 5.0 (Win2k) there was no http.sys so the incoming requests went directly to IIS. IIS loaded all ISAPI filters in inetinfo.exe so all incoming requests would be parsed by all installed ISAPI filters. Filters like URLScan could parse the incoming request before it was consumed by IIS allowing improper requests to be rejected. In IIS 6.0 http.sys was introduced and it acts like a filter itself in a way, checking incoming requests for validity. If the validity check fails then the request is rejected and logged in \logfiles\httperr. IIS doesn't know about these incoming requests. If the request is allowed by http.sys then the request is passed on to the IIS process the request was indended for (w3wp.exe). Furthermore ISAPI filters in IIS 6.0 are loaded into the specific process (w3wp.exe) they are intended for so that not every request for every website has to go thru all the ISAPI filters, just the ones intended for use with that particular website. Hans - there is no way to shut down http.sys in IIS 6.0. If you app is not creating proper formed requests then http.sys will reject it. Hope this helps! This posting is provided "AS IS" with no warranties, and confers no rights. Thanks! ~Andrew Davis Microsoft PSS Security -------------------- >From: "Dave" <no***@nowhere.com> <uD1Pnv#hEHA.2***@TK2MSFTNGP12.phx.gbl> >References: <egTewLUgEHA.3***@TK2MSFTNGP11.phx.gbl> <bertelmonster.1nm***@mail.webservertalk.com> >Subject: Re: Does Http.sys block all mobile device requests? TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP0>Date: Sun, 17 Apr 2005 13:57:48 -0000 >Lines: 95 >X-Priority: 3 >X-MSMail-Priority: Normal >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 >Message-ID: <O6eL3V1QFHA.1***@TK2MSFTNGP09.phx.gbl> >Newsgroups: microsoft.public.inetserver.iis.security >NNTP-Posting-Host: k1ttt.net 140.186.101.248 >Path: 9.phx.gbl Show quoteHide quote >Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.inetserver.iis.security:17295 >X-Tomcat-NG: microsoft.public.inetserver.iis.security > >surely you can put a filter before http.sys. isn't that the basis of how >urlscan and other isapi filters work? if nothing else send iis to a >different port and write your own proxy to listen on port 80 and fix up >requests before forwarding them on to iis. > >"bertelmonster" <bertelmonster.1nm***@mail.webservertalk.com> wrote in >message news:bertelmonster.1nmv52@mail.webservertalk.com... >> >> Still no solution for this Problem? >> ( >> >> - Devices in the market cannot be changed. >> - Not possible to get request before http.sys (kernal mode). >> >> To strictly conform http spec is very good. But it should be possible >> to intercept requests! >> >> >> >> David Wang [Msft] wrote: >> > *For proper security, servers should only accept proper HTTP >> > requests. >> > Applications that cannot send proper HTTP requests are broken and >> > should be >> > fixed. >> > >> > There is no way to shut off nor configure request blocking done by >> > HTTP.SYS. >> > It is an important part of overall server security. >> > >> > The only resolutions I see are: >> > 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 >> > over >> > IIS5) >> > 2. Open a PSS support case on the behavior and justify a change in >> > HTTP.SYS >> > >> > -- >> > //David >> > IIS >> > This posting is provided "AS IS" with no warranties, and confers no >> > rights. >> > // >> > "Hans Olav Stjernholm" <n***@no.no> wrote in message >> > news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... >> > Hi! >> > >> > I'm using Windows 2003 and IIS 6.0 to host a mobile device >> > application. I've >> > migrated over from IIS 5.0. >> > IIS 6.0 seems to block all incoming requests from mobile devices. >> > My suspicion is that http.sys blocks these requests because they're >> > without >> > user agent or has an illegal \r\n ending in the request. But my >> > problem is >> > that I cannot control the requests generated by the mobile devices >> > using my >> > app. >> > >> > Does anyone know how to shut off or configure the request blocking >> > done by >> > http.sys? >> > Or do I have to go all the way back to windows 2000? >> > >> > Any ideas or suggestions are welcome!!! >> > >> > PS: >> > I suspect that http.sys blocks the mobile device requests because >> > they don't >> > have user agent in header. >> > The request headers sent by the mobile devices are as following: >> > Connection: close >> > Host=myweb.com:80 >> > >> > The Httperr.log looks like this: >> > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET >> > /get.aspx?a=&u=38 400 - BadRequest >> > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET >> > /get.aspx?a=&u=38 400 - BadRequest >> > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET >> > /get.aspx?a=&u=38 400 - BadRequest >> > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET >> > /get.aspx?a=&u=38 400 - BadRequest * >> >> >> >> -- >> bertelmonster >> ------------------------------------------------------------------------ >> Posted via http://www.webservertalk.com >> ------------------------------------------------------------------------ >> View this thread: http://www.webservertalk.com/message349594.html >> > > > 
Other interesting topics
UrlScan.dll Terminating
IIS folder structure and security. IIS Challenge for Password. WinXP authenticates differently than Win2k. Need to block Web Spider software like Teleport pro How to tell if IIS lockdown Tool is installed? IIS6, WIN2k3SP1 and integrated authentication Failure posting files to iis6.0 using ssl client authentication URLScan as an attack vector? Security concern in event viewer Anonymous access |
|||||||||||||||||||||||
