URLEncoding not working in 2.1.2.0

Topics: Developer Forum
Nov 8, 2011 at 8:28 AM

Hi Cheeso,

is this feature disabled in 2.1.2.0 (x86)?
I cannot make it work.
Scenario:
I'm trying to record (in a database) some security breach attempts (Injection).
To eventually understand the kind of threat I'd like to scan to url, with multiple parameters in query string, that was called (es: www.mysite.com/security.asp?breach1=b1val&breach2=b2Val&breach3=b3Val )

I'm using the server variable %{URL} to pass to another page the data (es: www.anothersite.it/logSecurity.asp?hijackedURL=%{SERVER_NAME}#X%{URL}#E ) in a Rewrite directive but the IIS var URL is NOT URLEncoded causing ampersands to pass through and breaking parameterS submission to the DB logging page

Here's my rule:

RewriteRule ^(.*)IDParam=([\d]*[^0-9&](.*))$ www.anothersite.it/logSecurity.asp?hijackedURL=%{SERVER_NAME}#X%{URL}#E [I,R]

Intended purpose: only allow int numbers for IDParam, otherwise _redirect_ to log page
The rewrite works ok, but querystring is NOT URLEncoded, and I end up in the browser ADDRESS BAR with
www.anothersite.it/logSecurity.asp?hijackedURL=www.mysite.com#X/mySiteDir/subDir/scriptName.asp?breach1=b1val&breach2=b2Val&breach3=b3ValSTRANGE_CHARS_HERE

(note the unparsed/unsubstituted "#X")
and only the %{SERVER_NAME} var in DB

Can you help, cheeso, please?

Thx,

Diego

Nov 8, 2011 at 8:30 AM

Follow-up

I also tried using ProxyPass with no redirect, like this (as a partial workaround)

ProxyPass ^(.*)IDParam=([\d]*[^-0-9&](.*))$ www.anothersite.it/logSecurity.asp?hijackedURL=%{SERVER_NAME}#X$1#E [I]

(in this case,everything BEFORE IDParam would actually include the full querystring) but cannot encode the backvariable

P.S.=Sorry to have become quite verbose here, that probably would have been better placed in a forum

P.S.2=IIRF is a great piece of SW :-)

P.S.3=I Cut&Pasted these posts from related RFE here as requested

Coordinator
Nov 8, 2011 at 11:51 AM

Hi,

Last week I created a workitem for your issue, see http://iirf.codeplex.com/workitem/31670 .

There is an interim build of the x64 binaries there, for you to try.  It should fix your problem.  please let me know.

 

Coordinator
Nov 8, 2011 at 11:55 AM

I've now put an x86 build there for you, as well.  Please let me know if this corrects the problem.

Coordinator
Nov 8, 2011 at 6:22 PM

Let me know if you need instructions on what to do with the zip file which is attached to the workitem I referenced above.

Nov 11, 2011 at 7:51 AM
Edited Nov 11, 2011 at 7:52 AM

Hi Cheeso,

the interim build (x86) seems to solve and works OK.

Thanks a lot and sorry for being late for feedback.

I also feared that installing would have been a problem but I just copied the file over and restarted IIS just to be sure.

Only curious thing, interim build is about twice the byte size of release build. Suppose there are debug info in it.

I tested it on a development server.Can you suggest if it's already ok for live sites deploy (performance affected)?

Bye.

Diego

Coordinator
Nov 11, 2011 at 11:34 AM

yes, it's a debug build.  The performance of debug builds is usually 20-35% lower than the performance of release builds.

You can use it, but I'd suggest waiting for the official update.

 

Coordinator
Nov 11, 2011 at 11:50 AM

The release with this fix is now available as a regular download.

 http://iirf.codeplex.com/releases/view/70382