I get a file not found message from IIS when the filename contains an ampersand

TheMSsForum.com: The Microsoft Software Forum

I have an ASP page that has a link to a PDF file and the PDF file name is "Q&A_Full.PDF" . When the code is run in our test environment it works If it is run on our production box I get "File is not Found". If I remove the & from the file name and change the ASP to point to the renamed PDF "QA_Full.PDF" then the code works in both environments. Can anyone tell me what could be causing this? I have ruled out permission issues and the ASP is using relative pathing so the code was not the issue. Is there a patch I do not have applied on my production box or is this a new issue with the latest patch?
Top

Re: I get a file not found message from IIS when the filename contains an ampersand by jcochran

jcochran
Fri Jan 02 12:36:00 CST 2004

On Fri, 2 Jan 2004 10:01:13 -0800, "Steve Mauldin"
<anonymous@discussions.microsoft.com> wrote:

>I have an ASP page that has a link to a PDF file and the PDF file name is "Q&A_Full.PDF" . When the code is run in our test environment it works If it is run on our production box I get "File is not Found". If I remove the & from the file name and change the ASP to point to the renamed PDF "QA_Full.PDF" then the code works in both environments. Can anyone tell me what could be causing this? I have ruled out permission issues and the ASP is using relative pathing so the code was not the issue. Is there a patch I do not have applied on my production box or is this a new issue with the latest patch?

URLScan installed on the production system? Checked the logs for the
request to see what's showing up?

Jeff
Top

Re: I get a file not found message from IIS when the filename contains an ampersand by David

David
Sat Jan 03 02:41:58 CST 2004

I'm not aware of any issues with the latest IIS patches. If you do have an
issue with the latest IIS patches that can be definitively described and
reproduced, it would be great to share.

Your issue sounds like the production box has URLScan installed, which by
default denies URLs with '&' and sends a 404 "File is not Found". To
verify, look at URLScan log at %SYSTEMROOT%\System32\inetsrv\urlscan\*.log
and see the rejection reason for the URL with '&' in it.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Steve Mauldin" <anonymous@discussions.microsoft.com> wrote in message
news:6C69A196-A7D6-43E4-8227-F66628EFDA59@microsoft.com...
I have an ASP page that has a link to a PDF file and the PDF file name is
"Q&A_Full.PDF" . When the code is run in our test environment it works If
it is run on our production box I get "File is not Found". If I remove the
& from the file name and change the ASP to point to the renamed PDF
"QA_Full.PDF" then the code works in both environments. Can anyone tell me
what could be causing this? I have ruled out permission issues and the ASP
is using relative pathing so the code was not the issue. Is there a patch I
do not have applied on my production box or is this a new issue with the
latest patch?


Top

Re: I get a file not found message from IIS when the filename contains an ampersand by anonymous

anonymous
Mon Jan 05 12:06:06 CST 2004

David,

Both It looks that both you and Jeff Cochran are correct. URLScan was installed on the production server sometime in the past and it is blocking the URL requests that contain an & and the test server does not have it installed.

Does URLScan also stop a valid & on the URL?
I.E. variables being passed on the URL as an example
<B>welcome.asp?myvariable=myvalue&mysecondvariable=mysecondvalue.<B>

Also a question from my Network Admin was "Is URLScan still needed since it was a short term fix for the Code Red II virus and several patches have come out since Code Red II cropped up?"

Thanks for all your input on this.
Top

Re: I get a file not found message from IIS when the filename contains an ampersand by Bernard

Bernard
Mon Jan 05 21:05:31 CST 2004

You can always review the urlscanxxxxx.log when you think it's blocking your
request. next, urlscan is a good protection filter for IIS, don't remove it.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...



"Steve Mauldin" <anonymous@discussions.microsoft.com> дÈëÏûÏ¢
news:2BBBB895-E4AC-4F60-889A-A9C8FD9E4ED4@microsoft.com...
> David,
>
> Both It looks that both you and Jeff Cochran are correct. URLScan was
installed on the production server sometime in the past and it is blocking
the URL requests that contain an & and the test server does not have it
installed.
>
> Does URLScan also stop a valid & on the URL?
> I.E. variables being passed on the URL as an example
> <B>welcome.asp?myvariable=myvalue&mysecondvariable=mysecondvalue.<B>
>
> Also a question from my Network Admin was "Is URLScan still needed since
it was a short term fix for the Code Red II virus and several patches have
come out since Code Red II cropped up?"
>
> Thanks for all your input on this.


Top

Re: I get a file not found message from IIS when the filename contains an ampersand by David

David
Mon Jan 05 23:06:13 CST 2004

Ok, time for URL anatomy:

http://server/vdir/hello.exe/path/info?querystring&Var1=Val1&Var2=Val2

http:// - protocol namespace
server - destination server
/vdir/hello.exe - "URL"
/path/info - PathInfo
?querystring&Var1=Val1&Var2=Val2 - Querystring


URLScan applies several of its verifications against the "URL" and PathInfo
(Note that without server-side configuration, it's not possible to determine
whether the real URL "resource" is "/vdir with a PathInfo of
/hello.exe/path/info" , or "/vdir/hello.exe/path with a PathInfo of /info" ,
etc). It does not even look at anything beyond the first '?' since it is
querystring, by definition opaque user data where anything can be valid.

You want to run URLScan as it is a defense layer for your webserver. It
allows rejection of requests based on request characteristics under the idea
that request-based attacks and vulnerability have a certain "signature" that
can be rejected to thwart that attack. For example, URLScan easily thwarts
Code Red and Code Red since they have very identifiable signatures.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Steve Mauldin" <anonymous@discussions.microsoft.com> wrote in message
news:2BBBB895-E4AC-4F60-889A-A9C8FD9E4ED4@microsoft.com...
David,

Both It looks that both you and Jeff Cochran are correct. URLScan was
installed on the production server sometime in the past and it is blocking
the URL requests that contain an & and the test server does not have it
installed.

Does URLScan also stop a valid & on the URL?
I.E. variables being passed on the URL as an example
<B>welcome.asp?myvariable=myvalue&mysecondvariable=mysecondvalue.<B>

Also a question from my Network Admin was "Is URLScan still needed since it
was a short term fix for the Code Red II virus and several patches have come
out since Code Red II cropped up?"

Thanks for all your input on this.


Top

Re: I get a file not found message from IIS when the filename contains an ampersand by Bernard

Bernard
Tue Jan 06 00:11:21 CST 2004

What do you mean by "without server-side configuration".
the & after the first '?' is acceptable by default.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...



"David Wang [Msft]" <someone@online.microsoft.com> ????
news:eidvWZB1DHA.4032@tk2msftngp13.phx.gbl...
> Ok, time for URL anatomy:
>
> http://server/vdir/hello.exe/path/info?querystring&Var1=Val1&Var2=Val2
>
> http:// - protocol namespace
> server - destination server
> /vdir/hello.exe - "URL"
> /path/info - PathInfo
> ?querystring&Var1=Val1&Var2=Val2 - Querystring
>
>
> URLScan applies several of its verifications against the "URL" and
PathInfo
> (Note that without server-side configuration, it's not possible to
determine
> whether the real URL "resource" is "/vdir with a PathInfo of
> /hello.exe/path/info" , or "/vdir/hello.exe/path with a PathInfo of /info"
,
> etc). It does not even look at anything beyond the first '?' since it is
> querystring, by definition opaque user data where anything can be valid.
>
> You want to run URLScan as it is a defense layer for your webserver. It
> allows rejection of requests based on request characteristics under the
idea
> that request-based attacks and vulnerability have a certain "signature"
that
> can be rejected to thwart that attack. For example, URLScan easily
thwarts
> Code Red and Code Red since they have very identifiable signatures.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Steve Mauldin" <anonymous@discussions.microsoft.com> wrote in message
> news:2BBBB895-E4AC-4F60-889A-A9C8FD9E4ED4@microsoft.com...
> David,
>
> Both It looks that both you and Jeff Cochran are correct. URLScan was
> installed on the production server sometime in the past and it is blocking
> the URL requests that contain an & and the test server does not have it
> installed.
>
> Does URLScan also stop a valid & on the URL?
> I.E. variables being passed on the URL as an example
> <B>welcome.asp?myvariable=myvalue&mysecondvariable=mysecondvalue.<B>
>
> Also a question from my Network Admin was "Is URLScan still needed since
it
> was a short term fix for the Code Red II virus and several patches have
come
> out since Code Red II cropped up?"
>
> Thanks for all your input on this.
>
>


Top