Rick Strahl's Weblog
Rick Strahl's FoxPro and Web Connection Weblog
White Papers | Products | Message Board | News |

IIS 7 Default Request Filtering and Web Connection


8 comments
April 06, 2008 •

IIS 7 has an extensive list of extensions and paths that it deems as restricted. This is generally a good thing as it blocks URL access to many common paths that are frequently used in Web applications to hold semi-private files like code and binary assemblies for example in ASP.NET applications.

 

As it turns out the default behavior also affects Web Connection because the default filtering completely disallows direct access to a BIN directory. In addition, IIS 7 blocks out access to many file extensions that you might previous have used for your own script mapes. For example, I just ran a demo and created a script map of .dd for my project only to find that it bombed with 404 everytime. It took some sleuthing to find out that .dd is a restricted extension and changing the extension immediately fixed the problem.


So what does it mean to your Web Connection Apps?

The biggest issue that you might run into with IIS 7 that if you have WC.DLL installed in the /Bin directory of your virtual or Web root, you cannot access the DLL directly. Urls like this:

 

/your Virtual/wc.dll?wwMaint~ShowStatus

 

Will fail to work and you'll get a 404 error like this:

HTTP Error 404.0 - Not Found

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

Detailed Error Information  

Module

IsapiFilterModule

Notification

MapPath

Handler

ISAPI-dll

Error Code

0x80070002

Requested URL

http://localhost:80/timetrakker/bin/wc.dll?wwMaint~ShowStatus

Physical Path

c:\westwind\TimeTrakker\bin\wc.dll

Logon Method

Not yet determined

Logon User

Not yet determined

     

Most likely causes:  

·         The directory or file specified does not exist on the Web server.

·         The URL contains a typographical error.

·         A custom filter or module, such as URLScan, restricts access to the file.

 

The restriction here lies in IIS 7's configuration for Request Filtering which can be found in ApplicationHost.config (in System32/inetsvr/config). In it you'll find a request filtering section:

 

<requestFiltering>

    <fileExtensions allowUnlisted="true">

        <add fileExtension=".asa" allowed="false" />

        <add fileExtension=".asax" allowed="false" />

        <add fileExtension=".ascx" allowed="false" />

        <add fileExtension=".master" allowed="false" />

        <add fileExtension=".skin" allowed="false" />

        <add fileExtension=".browser" allowed="false" />

        <add fileExtension=".sitemap" allowed="false" />

        <add fileExtension=".config" allowed="false" />

        <add fileExtension=".cs" allowed="false" />

        <add fileExtension=".csproj" allowed="false" />

        <add fileExtension=".vb" allowed="false" />

        <add fileExtension=".vbproj" allowed="false" />

        <add fileExtension=".webinfo" allowed="false" />

        <add fileExtension=".licx" allowed="false" />

        <add fileExtension=".resx" allowed="false" />

        <add fileExtension=".resources" allowed="false" />

        <add fileExtension=".mdb" allowed="false" />

        <add fileExtension=".vjsproj" allowed="false" />

        <add fileExtension=".java" allowed="false" />

        <add fileExtension=".jsl" allowed="false" />

        <add fileExtension=".ldb" allowed="false" />

        <add fileExtension=".dsdgm" allowed="false" />

        <add fileExtension=".ssdgm" allowed="false" />

        <add fileExtension=".lsad" allowed="false" />

        <add fileExtension=".ssmap" allowed="false" />

        <add fileExtension=".cd" allowed="false" />

        <add fileExtension=".dsprototype" allowed="false" />

        <add fileExtension=".lsaprototype" allowed="false" />

        <add fileExtension=".sdm" allowed="false" />

        <add fileExtension=".sdmDocument" allowed="false" />

        <add fileExtension=".mdf" allowed="false" />

        <add fileExtension=".ldf" allowed="false" />

        <add fileExtension=".ad" allowed="false" />

        <add fileExtension=".dd" allowed="false" />

        <add fileExtension=".ldd" allowed="false" />

        <add fileExtension=".sd" allowed="false" />

        <add fileExtension=".adprototype" allowed="false" />

        <add fileExtension=".lddprototype" allowed="false" />

        <add fileExtension=".exclude" allowed="false" />

        <add fileExtension=".refresh" allowed="false" />

        <add fileExtension=".compiled" allowed="false" />

        <add fileExtension=".msgx" allowed="false" />

        <add fileExtension=".vsdisco" allowed="false" />

    </fileExtensions>

    <verbs allowUnlisted="true" />

    <hiddenSegments>

        <add segment="web.config" />

        <add segment="bin " />

        <add segment="App_code" />

        <add segment="App_GlobalResources" />

        <add segment="App_LocalResources" />

        <add segment="App_WebReferences" />

        <add segment="App_Data" />

        <add segment="App_Browsers" />

    </hiddenSegments>

</requestFiltering>

 

The culprit for the direct WC.DLL execution is the hidden segment of bin filter in the hiddenSegments section. This filter basically prevents anything to be Web visible via URL that has a bin directory in its path.

 

        <add segment="bin " />

 

If you absolutely need to run wc.dll directly and you don't or can't use scriptmaps – which I highly recommend anyway though – you can comment out this block

<!-- add segment="bin" /-->

 

Which will then allow you to execute wc.dll out of the bin directory. NOTE: I would not advise this! It's a bad call to override these system settings because you'll have to remember to do it every time you install a new installation or move it.

 

Note that request filtering is a global setting – it must be set in ApplicationHost.config and cannot be delegated down to the web.config unless you override this setting:

 

<section name="requestFiltering" overrideModeDefault="Deny" />

 

And change the key to Allow.

 

Another option: Move the DLL out of the BIN directory into the root or another folder.

 

But I wouldn't recommend changing either of these options! The former mucks with default configuration settings that you have to remember to set each time the app gets reinstalled and the latter requires changing URLs anyway - and there's a better way to do that with scriptmaps.

 

So a better solution is to always use script maps. Create a script map or even use one of the default script maps that Web Connection installs into every installation (.WC, .WCSX are two of them) and replace every call to wc.dll with wc.wc and remove the /Bin path from the url. So

 

/myVirtual/bin/wc.dll?wwMaint~ShowStatus

 

Might become

 

/myVirtual/wc.wc?wwMaint~ShowStatus

 

In some situations this may cause pathing problems because if you used the DLL pages were pathed to the bin directory and relative links for image and other resources may have been relative to the bin folder.

 

But this is why we've tried for years to push our user to use script maps in the first place – script maps are much easier to manage both in terms of security as well as flexibilty.

 

Watch out for other blocked Extensions

When you create new projects and new script map extensions, you should be careful not to choose any blocked extensions.

 

For example when I tried to create an extension for .dd and then hit a page with this extension I got:

 

HTTP Error 404.7 - Not Found

The request filtering module is configured to deny the file extension.

Detailed Error Information  

Module

RequestFilteringModule

Notification

BeginRequest

Handler

StaticFile

Error Code

0x00000000

Requested URL

http://localhost:80/timetrakker/default.dd

Physical Path

c:\westwind\TimeTrakker\default.dd

Logon Method

Not yet determined

Logon User

Not yet determined

     

Most likely causes:  

·         Request filtering is configured for the Web server and the file extension for this request is explicitly denied.

Things you can try:  

·         Verify the configuration/system.webServer/security/requestFiltering/fileExtensions settings in applicationhost.config and web.config.

Note that here the message points you right at the problem and where to look. It points right at the Request Filtering section in ApplicationHost.config. If you look back on the list of extensions you can see that .DD is indeed included in the list of restricted extensions.

 

Again the solution here is either to allow the extension or alternately choose a different extension.

 

 

This seems like a lot of new restrictions but I'd say these are a good thing. They are easy to fix or workaround as long as you know what the settings are. None of this is a problem for Web Connection applications that use script maps to begin with, so this is a reminder why script map formatting is the way to go with WWWC applications…

Posted in:

Feedback for this Weblog Entry


re: IIS 7 Default Request Filtering and Web Connection



not working for .SVC file
January 21, 2010

thanks for ur suggestion, i try this method, when i implemented .svc file, it block the entire site activies, since my project is based on svc file.

Please help me.

<add fileExtension=".svc" allowed="false" />

re: IIS 7 Default Request Filtering and Web Connection



Scobee
February 25, 2010

Awesome.. This is exacly the fix that did the trick for me had a binary in the a "bin" directory and this fixed it right away.. though not happy about the vulnerabilty that now exists it is low risk for our internally hosted app.

re: IIS 7 Default Request Filtering and Web Connection



Asif Chouhan
September 18, 2010

I have hosted my web application on II7 now it is blocking all the pop up and it is giving above error.

re: IIS 7 Default Request Filtering and Web Connection



Mr. T
September 19, 2010

thank you for your post , u are a life saver !

re: IIS 7 Default Request Filtering and Web Connection



BeginnerPHP
May 17, 2011

Still getting the error " HTTP Error 404.0 - Not FoundThe resource you are looking for has been removed, had its name changed, or is temporarily unavailable." Even after making the modifications to ApplicationHost.Config file!

re: IIS 7 Default Request Filtering and Web Connection



BeginnerPHP
May 17, 2011

I am working on the following settings: windows 7 and PHP on eclipse IDE, and Zend debugger, and IIS server!

re: IIS 7 Default Request Filtering and Web Connection



coolguy97
March 14, 2012

Hi, Can we redirect to custom error page saying url not found in above scenario and log the exact error in our logger.

re: IIS 7 Default Request Filtering and Web Connection



faa
May 31, 2017

Hello, i am facing the issue while using request filtering option. My website didn't work until I add '.' in allowed list. I am unable to find which particular extension I am missing. Thanks in advance.

 
© Rick Strahl, West Wind Technologies, 2003 - 2024