1. how come SSL hit to one site gets postargs stripped while SSL hit to clone site (same everything) worked?
2. If http resetting is involved, is that witango server or, in my case, webstar -specific? Apache does differently?
On Feb 21, 2004, at 9:46 AM, Scott Cadillac wrote:
Hi Roland,
The bigger question, if this is true, is what is witango doing that other app servers isn't doing?
Probably nothing different.
(Excellent research by the way Roland)
The heart of the issue (that you point to with KB831167) contains this text:
"Security Patch q832894 included a fix to make Internet Explorer work
better with Web servers that reset http connections when requesting
authentication credentials from the client computer during a POST
request. However, Web servers that reset an http connection with Internet
Explorer for other reasons may experience errors when Internet Explorer
attempts to reset the connection to the server."
[Above from] http://www.microsoft.com/downloads/details.aspx? FamilyID=254EB128-5053-48A7-8526-BD38215C74B2&displaylang=en
I think it's obvious that the MS Engineers just didn't think of everything when putting this patch together.
There is wide range of different ways to use HTTP, and this is not the first time MS missed something when putting a Security patch together.
Remember the IIS Lockdown tool? It has an optional component called
URLScan that is designed to stop malicious attacks to IIS, by filtering
them at the HTTP level with an ISAPI filter (before it reaches application
files or the underlying OS).
One of the problems with URLScan (under it's default configuration) is that it didn't allow for application files with extensions other than *.asp and a few others. So Witango, PHP, ColdFusion and even FrontPage Extensions stopped working after installing URLScan.
The following article shows how to fix URLScan for ASP.NET for example. MS even broke it's own great new web technology - sad, but true.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;815155
Hope this helps. Cheers....
Scott Cadillac, 403-281-6090 ~ [EMAIL PROTECTED] ------------ XML-Extranet ~ http://xmlx.ca ~ http://forums.xmlx.ca Well-formed Programming in C# .NET, Witango, MSIE and XML ------------ Witango ~ http://witango.org EasyXSLT ~ http://easyxslt.ca IIS Watcher ~ http://iiswatcher.ca ------------
-----Original Message----- From: Roland Dumas <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Sat, 21 Feb 2004 08:50:42 -0800 Subject: Re: Witango-Talk: MS Security patch preventing postargs from being submitted
On Feb 21, 2004, at 8:48 AM, Mike R. M. Young wrote:
andWell that explains a few weird bits. It has only been noted on my own machine in this office, (running NT4 server fully updated) and would only appear to happen later in a given day. IE, when the ram is heavily fragmented from a days use. I chocked it up to lack of ramfragmented memory, but this is makes much more sense. Is there a solution? The next MS Security patch for instance?
the report is: Breaks it: MS04-004 Cumulative Security Update for Internet Explorer (832894) � Fixes it: Microsoft KB831167
The bigger question, if this is true, is what is witango doing that other app servers isn't doing?
______________________________________________________________________ _
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_______________________________________________________________________ _
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
