The following is a copy of the INI file that sets the filter rules for URLScan. There is some disscussion on how to modify so that it will work with CF. For example some say you have to just modify the extensions sections to allow cfm, cfml, cfc, jsp, etc. Others say you have to change the "RemoveServerHeader" and "AlternateServerName" attributes.
There was also a report where MM was blaming MS for URLscan causing problems and vica versa. There was also another report that URLscan was causing problems on MAC clients. I am afraid I don't know the answer and only reporting what I have read. If you read the INI over it will certainly explain what URLScan does. Dave Adams CFUG Ottawa [options] UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing VerifyNormalization=1 ; if 1, canonicalize URL twice and reject request if a change occurs AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL AllowDotInPath=0 ; if 1, allow dots that are not file extensions RemoveServerHeader=0 ; if 1, remove "Server" header from response EnableLogging=1 ; if 1, log UrlScan activity PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log) AllowLateScanning=0 ; if 1, then UrlScan will load as a low priority filter. PerDayLogging=1 ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan> UseFastPathReject=0 ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request ; If RemoveServerHeader is 0, then AlternateServerName can be ; used to specify a replacement for IIS's built in 'Server' header AlternateServerName= [AllowVerbs] ; ; The verbs (aka HTTP methods) listed here are those commonly ; processed by a typical IIS server. ; ; Note that these entries are effective if "UseAllowVerbs=1" ; is set in the [Options] section above. ; GET HEAD POST [DenyVerbs] ; ; The verbs (aka HTTP methods) listed here are used for publishing ; content to an IIS server via WebDAV. ; ; Note that these entries are effective if "UseAllowVerbs=0" ; is set in the [Options] section above. ; PROPFIND PROPPATCH MKCOL DELETE PUT COPY MOVE LOCK UNLOCK OPTIONS SEARCH [DenyHeaders] ; ; The following request headers alter processing of a ; request by causing the server to process the request ; as if it were intended to be a WebDAV request, instead ; of a request to retrieve a resource. ; Translate: If: Lock-Token: [AllowExtensions] ; ; Extensions listed here are commonly used on a typical IIS server. ; ; Note that these entries are effective if "UseAllowExtensions=1" ; is set in the [Options] section above. ; .asp .cer .cdx .asa .htm .html .txt .jpg .jpeg .gif ;.idq ;.htw ;.ida ;.idc ;.shtm ;.shtml ;.stm ;.htr ;.printer [DenyExtensions] ; ; Extensions listed here either run code directly on the server, ; are processed as scripts, or are static files that are ; generally not intended to be served out. ; ; Note that these entries are effective if "UseAllowExtensions=0" ; is set in the [Options] section above. ; ; Deny executables that could run on the server .exe .bat .cmd .com ; Deny infrequently used scripts .htw ; Maps to webhits.dll, part of Index Server .ida ; Maps to idq.dll, part of Index Server .idq ; Maps to idq.dll, part of Index Server .htr ; Maps to ism.dll, a legacy administrative tool .idc ; Maps to httpodbc.dll, a legacy database access tool .shtm ; Maps to ssinc.dll, for Server Side Includes .shtml ; Maps to ssinc.dll, for Server Side Includes .stm ; Maps to ssinc.dll, for Server Side Includes .printer ; Maps to msw3prt.dll, for Internet Printing Services ; Deny various static files .ini ; Configuration files .log ; Log files .pol ; Policy files .dat ; Configuration files ;.asp ;.cer ;.cdx ;.asa [DenyUrlSequences] .. ; Don't allow directory traversals ./ ; Don't allow trailing dot on a directory name \ ; Don't allow backslashes in URL : ; Don't allow alternate stream access % ; Don't allow escaping after normalization & ; Don't allow multiple CGI processes to run on a single request Kola Oyedeji wrote: >Has anyone noticed any additional performance overhead as a result of >using it? Also >What exactly does it protect you against? Cross-site scripting? > >Thanks > >Kola > > > >>>-----Original Message----- >>>From: Mark Woods [mailto:[EMAIL PROTECTED]] >>>Sent: 11 February 2003 14:34 >>>To: CF-Server >>>Subject: RE: CFMX and URLScan - What is consensus? >>> >>>At 09:05 11/02/2003, you wrote: >>> >>> >>>>What exactly does URLscan do? >>>> >>>> >>>see: >>> >>> >>> >http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur >i > > >>>ty/tools/tools/URLScan.asp >>> >>>it's a http request filtering tool that runs as a high priority isapi >>>filter in IIS, blocking incoming requests that are considered "risky" >>>according to the settings in your urlscan.ini file. >>> >>>Every IIS server should be running it, or something similar. We've >>> >>> >been > > >>>running it for over a year alongside CF5 without any problems and >>>upgraded >>>all our servers to version 2.5 a few months ago without a hitch. To >>> >>> >use > > >>>it >>>with CFMX you'll just need to ensure that you allow requests for >>>coldfusion >>>files (I haven't used CFMX, but doesn't it have a new .cfc extension >>> >>> >for > > >>>CFCs?). As far as I recall, the default config will allow requests >>> >>> >for > > >>>all >>>extensions that are not in the DenyExtensions list so it should work >>> >>> >"out > > >>>of the box" for CFMX as well as CF5. >>> >>> >>>Mark >>> >>> >>> >>> > > ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm ------------------------------------------------------------------------------ To unsubscribe, send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body or visit the list page at www.houseoffusion.com
