URLscan 2.5 does not scan for CGI parameters

Hi,

I have IIS 6 on windows 2003sp1 with urlscan 2.5 running a cgi
application.

I want to have certain characters to be removed from the whole url
including cgi parameters. Unfortunately the urlscan only checks till
the '?' parameter which says that the cgi parameters are following.
Unfortunately urlscan checks only to this character. The rest of the
url is left unchecked.

eg.
detected by urlscan:
http://myhost/cgi-bin/application.exe..?p1=1&p2=2

not detected by urlscan:
http://myhost/cgi-bin/application.exe?p1=1&p2=2&..

the relevant sections in urlscan.ini are:
[options]
UseAllowVerbs=1
UseAllowExtensions=0
NormalizeUrlBeforeScan=1
VerifyNormalization=1
AllowHighBitCharacters=1
AllowDotInPath=1
RemoveServerHeader=0
EnableLogging=1
PerProcessLogging=1
AllowLateScanning=0
PerDayLogging=1
UseFastPathReject=0
LogLongUrls=1

[DenyUrlSequences]
... ; Don't allow directory traversals
../ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
<
>
(
)
%2e
%3c
%3C
%3e
%3E

May be there is a not documented urlscan parameter which helps.

Thank you in advance

Claus

Re: URLscan 2.5 does not scan for CGI parameters

cilmberg@opentext.com wrote on 24 Jan 2007 03:03:12 -0800:

> Hi,
>
> I have IIS 6 on windows 2003sp1 with urlscan 2.5 running a cgi
> application.
>
> I want to have certain characters to be removed from the whole url
> including cgi parameters. Unfortunately the urlscan only checks till
> the '?' parameter which says that the cgi parameters are following.
> Unfortunately urlscan checks only to this character. The rest of the
> url is left unchecked.
>
> eg.
> detected by urlscan:
> http://myhost/cgi-bin/application.exe..?p1=1&p2=2
>
> not detected by urlscan:
> http://myhost/cgi-bin/application.exe?p1=1&p2=2&..
>

Why can't you just have the CGI ignore the parameters it doesn't need to
use?

Dan

Re: URLscan 2.5 does not scan for CGI parameters

Sure, the cgi does not process this parameter but it passes it to the
client so in case you add some kind of code it could be executed at the
client. That is what I would like to avoid.

Claus

On 24 Jan., 13:09, "Daniel Crichton" wrote:
> cilmb...@opentext.com wrote on 24 Jan 2007 03:03:12 -0800:
>
>
>
>
>
> > Hi,
>
> > I have IIS 6 on windows 2003sp1 with urlscan 2.5 running a cgi
> > application.
>
> > I want to have certain characters to be removed from the whole url
> > including cgi parameters. Unfortunately the urlscan only checks till
> > the '?' parameter which says that the cgi parameters are following.
> > Unfortunately urlscan checks only to this character. The rest of the
> > url is left unchecked.
>
> > eg.
> > detected by urlscan:
> >http://myhost/cgi-bin/application.exe..?p1=1&p2=2
>
> > not detected by urlscan:
> >http://myhost/cgi-bin/application.exe?p1=1&p2=2&..Why can't you just have the CGI ignore the parameters it doesn't need to
> use?
>
> Dan- Zitierten Text ausblenden -- Zitierten Text anzeigen -

Re: URLscan 2.5 does not scan for CGI parameters

cilmberg@opentext.com wrote on 24 Jan 2007 04:56:07 -0800:

> Sure, the cgi does not process this parameter but it passes it to the
> client so in case you add some kind of code it could be executed at the
> client. That is what I would like to avoid.

So you have a potential cross-site scripting vulnerability in the CGI. Ouch.
How about getting the CGI to not spit out what is entered, but instead only
output what it should be - and even then, ensuring that any HTML elements
are stripped or replaced so that it can't be used in this way. I've been
writing web applications (including CGI) for 12 years - one of the first
things I learnt was to make sure that you never output directly what is put
in, always validate entries and always strip/clean output before writing to
the client.

Unfortunately URLScan isn't going to help you here, if you can't fix the CGI
you'll have to look for a third party ISAPI pre-processor or some other way
of intercepting the data before it gets to the CGI.

Dan

Re: URLscan 2.5 does not scan for CGI parameters

OK, I see your point. And you are sure that urlscan will not help in
this case? My initial unstanding was that cgi parameters are part of
the url anyway.

On 24 Jan., 17:32, "Daniel Crichton" wrote:
> cilmb...@opentext.com wrote on 24 Jan 2007 04:56:07 -0800:
>
> > Sure, the cgi does not process this parameter but it passes it to the
> > client so in case you add some kind of code it could be executed at the
> > client. That is what I would like to avoid.So you have a potential cross-site scripting vulnerability in the CGI. Ouch.
> How about getting the CGI to not spit out what is entered, but instead only
> output what it should be - and even then, ensuring that any HTML elements
> are stripped or replaced so that it can't be used in this way. I've been
> writing web applications (including CGI) for 12 years - one of the first
> things I learnt was to make sure that you never output directly what is put
> in, always validate entries and always strip/clean output before writing to
> the client.
>
> Unfortunately URLScan isn't going to help you here, if you can't fix the CGI
> you'll have to look for a third party ISAPI pre-processor or some other way
> of intercepting the data before it gets to the CGI.
>
> Dan

Re: URLscan 2.5 does not scan for CGI parameters

cilmberg@opentext.com wrote on 24 Jan 2007 08:58:04 -0800:

> OK, I see your point. And you are sure that urlscan will not help in
> this case? My initial unstanding was that cgi parameters are part of
> the url anyway.

URLscan ignores the querystring - see http://blogs.msdn.com/david.wang/archive/2005/07/18/Why-URLS can-ignores-querystring-for-DenyUrlSequences.aspx
for more info.

Dan

Re: URLscan 2.5 does not scan for CGI parameters

Thats the answer I needed. Thank you.

On 24 Jan., 18:11, "Daniel Crichton" wrote:
> cilmb...@opentext.com wrote on 24 Jan 2007 08:58:04 -0800:
>
> > OK, I see your point. And you are sure that urlscan will not help in
> > this case? My initial unstanding was that cgi parameters are part of
> > the url anyway.URLscan ignores the querystring - seehttp://blogs.msdn.com/david.wang/archive/2005/07/18/Why-U RLScan-ignor...
> for more info.
>
> Dan