IIS tilde vulnerability issue

asp.net security iis url-rewriting
18,621

Solution 1

It can be fixed by doing either of the following:

1. Install .NET 4.0 on the web server.

OR

2. Install and configure IIS URLScan module (do not allow ~ chars in the URL by adding ~ to [DenyUrlSequences] section).

Find more helpful info here: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Solution 2

Need to disable the 8.3 filename generation on IIS. Simple registry change but you need to copy all affected directories, so therefore needs IIS stopped.

How to disable 8.3 file name creation on NTFS partitions

NtfsDisable8dot3NameCreation

Share:
18,621
vk_muse
Author by

vk_muse

Updated on June 04, 2022

Comments

  • vk_muse
    vk_muse almost 2 years

    Here is issue that we have on one of our site:

    File/directory name bruteforcing using the Windows file system shorthand characters and status returns codes

    It is possible to find an unknown filename up to six characters by using shorthand file characters such as ~1 and
    *Example: site.com/admin/uplo*~1*/.aspx
This attack relies on reading different error codes the webserver responds with when the file(s) exist or not. Let’s say the file upload.aspx exists in the directory admin. Our attacks responses would look like this:
    site.com/admin/uplo*~1*/.aspx – IIS returns HTTP 404 File Not Found (valid file)
    site.com/admin/uplp*~1*/.aspx – IIS returns HTTP 400 Bad Request (invalid file)
        *Note that IIS 7.x responds with different error codes (0×0 when valid) instead of http status codes

    More Details http://www.alertlogic.com/internet-information-server-iis-exploitation-2/

    One of the possible solutions: ... If possible you may want to look into using URL rewriting to not allow any URL with a tilde character to be accepted ...

    Question: How to do that? what regular expression should be used in url rewriting rule in order to discard ~ character in all URL on the website (ASP.NET 3.5)

    • GlennG
      GlennG almost 10 years
      Alertlogic URL doesn't work - returns 404

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why does my ASP.NET 4.0 web service fail with a compliation error with NetworkService but succeed with LocalSystem
IIS URL Rewrite For URL Link with %3D
Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
authentication issue with an intranet website running under IIS6
What replaces .htaccess on IIS/ASP.NET sites?
ASP.Net URL Encoding
Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?
IIS reveals internal IP address in content-location field
How do I change the URL of the "parent" frame?
URL Rewrite rule for IIS to replace folder path in everypage