IIS denies access to local .com folders

TheMSsForum.com: The Microsoft Software Forum

Hello,
I noticed a strange problem with IIS on my WinXP Pro SP2 machine.

In my web server's directories I have some folders named like
"www.site1.com", "www.site2.it", which contain the actual files of the
corresponding web sites I manage.

So I used to access them by typing URLs such as
http://localhost/www.site1.com/ for folders contained in wwwroot, or
http://localhost/mydata/www.site2.it/ when contained in the "mydata"
virtual directory.
I'm absolutely sure this worked fine for years.

But now, IIS denies access to folders whose name ends with ".com". When
the folder is in a virtual directory, I'm asked for authentication and
then denied access (the error page talks about ACLs, but I have no ACLs on
that virtual directory, as it resides on a FAT32 partition); when it's in
wwwroot, I'm not asked for authentication, and I immediately get an error
page telling instead that execution is not allowed.
Everything works fine, instead, if I rename the folders to make them end
in ".it" or anything else... but the problem remains if I use ".exe".

So it seems like a dumb security measure, I suppose recently introduced
with some WinXP upgrade.
Is there a way to deactivate it? It looks very stupid to me... the server
should know if it's serving a directory or a file... and then I don't see
why it doesn't block access to .bat and .vbs folders, too. 8-/

Thanks in advance.

--
Ciao,
Marco.

..."The Lamb Lies Down on Broadway", Genesis 1974
Top

Re: IIS denies access to local .com folders by Tom

Tom
Fri Jan 21 08:35:33 CST 2005

"Marco De Vitis" <starless@spin.it> wrote in message
news:pxjcfldkfzsr.dlg@starless.mdv...
> Hello,
> I noticed a strange problem with IIS on my WinXP Pro SP2 machine.
>
> In my web server's directories I have some folders named like
> "www.site1.com", "www.site2.it", which contain the actual files of the
> corresponding web sites I manage.
>
> So I used to access them by typing URLs such as
> http://localhost/www.site1.com/ for folders contained in wwwroot, or
> http://localhost/mydata/www.site2.it/ when contained in the "mydata"
> virtual directory.
> I'm absolutely sure this worked fine for years.
>
> But now, IIS denies access to folders whose name ends with ".com". When
> the folder is in a virtual directory, I'm asked for authentication and
> then denied access (the error page talks about ACLs, but I have no ACLs on
> that virtual directory, as it resides on a FAT32 partition); when it's in
> wwwroot, I'm not asked for authentication, and I immediately get an error
> page telling instead that execution is not allowed.
> Everything works fine, instead, if I rename the folders to make them end
> in ".it" or anything else... but the problem remains if I use ".exe".
>
> So it seems like a dumb security measure, I suppose recently introduced
> with some WinXP upgrade.
> Is there a way to deactivate it? It looks very stupid to me... the server
> should know if it's serving a directory or a file... and then I don't see
> why it doesn't block access to .bat and .vbs folders, too. 8-/

http://support.microsoft.com/?kbid=275601


Top

Re: IIS denies access to local .com folders by Marco

Marco
Fri Jan 21 08:59:48 CST 2005

Il 21/01/2005, alle ore 15:35, Tom Kaminski [MVP] ha scritto:

> http://support.microsoft.com/?kbid=275601

Thanks!
Now I know the reason, at least.

But... isn't the article missing something like "Microsoft has confirmed
that this is a problem in the Microsoft products that are listed at the
beginning of this article"? ;)

Rather strange the article is said to apply also to previous versions of
IIS... I'm using this folder naming method since late 2001, and never
encountered this problem until now.

--
Ciao,
Marco.

..."1978 gli dèi se ne vanno, gli arrabbiati restano!", Area 1978
Top

Re: IIS denies access to local .com folders by David

David
Sat Jan 22 03:29:05 CST 2005

This issue only happens if the directory contains those extensions AND you
have Execute Permissions set to anything other than "none".

Static file serving is fine in a directory with .com .

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Marco De Vitis" <starless@spin.it> wrote in message
news:9399568v0wc6$.dlg@starless.mdv...
Il 21/01/2005, alle ore 15:35, Tom Kaminski [MVP] ha scritto:

> http://support.microsoft.com/?kbid=275601

Thanks!
Now I know the reason, at least.

But... isn't the article missing something like "Microsoft has confirmed
that this is a problem in the Microsoft products that are listed at the
beginning of this article"? ;)

Rather strange the article is said to apply also to previous versions of
IIS... I'm using this folder naming method since late 2001, and never
encountered this problem until now.

--
Ciao,
Marco.

..."1978 gli dèi se ne vanno, gli arrabbiati restano!", Area 1978


Top

Re: IIS denies access to local .com folders by Marco

Marco
Sat Jan 22 17:54:02 CST 2005

Il 22/01/2005, alle ore 10:29, David Wang [Msft] ha scritto:

> This issue only happens if the directory contains those extensions AND you
> have Execute Permissions set to anything other than "none".

No, sorry, it also happens with Execute Permissions set to "none", here.
It just slightly changes the behaviour: when the .com directory is placed
inside a virtual directory different from Inetpub/wwwroot, the error
returned is "403.1, execute access not allowed" (roughly translating from
the Italian text I see) if Execute Permissions are set to "none", and
"401.3, access denied by ACL" otherwise.

> Static file serving is fine in a directory with .com .

Not here.

--
Ciao,
Marco.

..."Crac!", Area 1975
Top

Re: IIS denies access to local .com folders by jeff

jeff
Sat Jan 22 21:31:27 CST 2005

On Sun, 23 Jan 2005 00:54:02 +0100, Marco De Vitis <starless@spin.it>
wrote:

>Il 22/01/2005, alle ore 10:29, David Wang [Msft] ha scritto:
>
>> This issue only happens if the directory contains those extensions AND you
>> have Execute Permissions set to anything other than "none".
>
>No, sorry, it also happens with Execute Permissions set to "none", here.
>It just slightly changes the behaviour: when the .com directory is placed
>inside a virtual directory different from Inetpub/wwwroot, the error
>returned is "403.1, execute access not allowed" (roughly translating from
>the Italian text I see) if Execute Permissions are set to "none", and
>"401.3, access denied by ACL" otherwise.
>
>> Static file serving is fine in a directory with .com .
>
>Not here.

Not anywhere more likely. You can't use a .COM extesnion in a folder
name, the file system doesn't like it and IIS will want to execute it.
Rename the folder.

Jeff
Top

Re: IIS denies access to local .com folders by David

David
Sun Jan 23 20:30:23 CST 2005

Sorry, it is unsupported behavior, so I am only going to say that it is
possible and leave it at that.

Though, I will say that I dislike this behavior, a long hold-over from a
decade ago when the letters ".COM" didn't have any "dot COM" meaning that we
associate today.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Marco De Vitis" <starless@spin.it> wrote in message
news:vfbzcnkkbe72.dlg@starless.mdv...
Il 22/01/2005, alle ore 10:29, David Wang [Msft] ha scritto:

> This issue only happens if the directory contains those extensions AND you
> have Execute Permissions set to anything other than "none".

No, sorry, it also happens with Execute Permissions set to "none", here.
It just slightly changes the behaviour: when the .com directory is placed
inside a virtual directory different from Inetpub/wwwroot, the error
returned is "403.1, execute access not allowed" (roughly translating from
the Italian text I see) if Execute Permissions are set to "none", and
"401.3, access denied by ACL" otherwise.

> Static file serving is fine in a directory with .com .

Not here.

--
Ciao,
Marco.

..."Crac!", Area 1975


Top

Re: IIS denies access to local .com folders by Marco

Marco
Mon Jan 24 04:32:35 CST 2005

Il 24/01/2005, alle ore 3:30, David Wang [Msft] ha scritto:

> Sorry, it is unsupported behavior, so I am only going to say that it is
> possible and leave it at that.

No problem, you're welcome. I already decided to replace dots with dashes
and live with it. This is for Jeff, too.
I just wanted to point out that this seems to me like a stupid behaviour
for a serious web server.

> Though, I will say that I dislike this behavior, a long hold-over from a
> decade ago when the letters ".COM" didn't have any "dot COM" meaning that we

Indeed.

--
Ciao,
Marco.

..."A Passion Play", Jethro Tull 1973
Top

Re: IIS denies access to local .com folders by jeff

jeff
Mon Jan 24 16:25:46 CST 2005

On Mon, 24 Jan 2005 11:32:35 +0100, Marco De Vitis <starless@spin.it>
wrote:

>No problem, you're welcome. I already decided to replace dots with dashes
>and live with it. This is for Jeff, too.
>I just wanted to point out that this seems to me like a stupid behaviour
>for a serious web server.

It's not the web server. It's Windows. You can run Apache on Windows
and run into similar issues.

Jeff
Top

Re: IIS denies access to local .com folders by Marco

Marco
Mon Jan 24 16:50:06 CST 2005

Il 24/01/2005, alle ore 23:25, Jeff Cochran ha scritto:

> It's not the web server. It's Windows. You can run Apache on Windows
> and run into similar issues.

Uhm, interesting, although strange: the article Tom pointed me to
expressly talks about an IIS behaviour. I'll take your word for it anyway,
as I'm not going to test it. ;)

--
Ciao,
Marco.

..."Skylarking", XTC 1986
Top