locked
403 forbidden, For URL containg double escape sequence (%5c../%5c../%5c../%5c../%5c..) RRS feed

  • Question

  • User-1763990519 posted

    Hosted one web application on IIS 8.5, When passing some double escape character in mentioned sequence ex:- https://myserver/Login.aspx/%5c../%5c../%5c../%5c../%5c../%5c.., instead of getting the error pages under the location <error statusCode="403" prefixLanguageFilePath="c:\inetpub\custerr" path="403.htm" />, server is throwing the page as below

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
    <HTML><HEAD><TITLE>Forbidden</TITLE>
    <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
    <BODY><h2>Forbidden URL</h2>
    <hr><p>HTTP Error 403. The request URL is forbidden.</p>
    </BODY></HTML>
    

    Tried to resolve the issue by different solutions like URL rewrite, Http Request Filtering and customer error pages, but no luck.

    Even we tried with the Microsoft website by adding the wild character like https://www.microsoft.com/%5c../%5c../%5c../%5c../%5c../%5c.. still throwing the above page only, Kindly look and revert the issue.

    Sunday, February 12, 2017 1:12 PM

All replies

  • User-2057865890 posted

    Hi Ziyadsalim,

    The following configuration example, when included in the Web.config file for a Web site or application, uses the errorMode attribute to only allow detailed error messages to appear on the local computer.

    <configuration>
       <system.webServer>
          <httpErrors errorMode="DetailedLocalOnly" defaultResponseMode="File" >
             <remove statusCode="403" />
             <error statusCode="403"
                prefixLanguageFilePath="c:\inetpub\custerr"
                path="403.htm" />
           </httpErrors>
       </system.webServer>
    </configuration>

    reference: https://www.iis.net/configreference/system.webserver/httperrors

    Best Regards,

    Chris

    Monday, February 13, 2017 7:49 AM
  • User-1763990519 posted

    Hi Chris,

    Thank you, very much for your reply. We tried the suggested work around by you but still getting the same html page not the .htm file. For your reference i copied by web.server section of my application web.config.

    <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <handlers>
    <add name="MSCaptcha" path="CaptchaImage.axd" verb="*" type="MSCaptcha.CaptchaImageHandler" resourceType="Unspecified" preCondition="integratedMode"/>
    <add name="CrystalImageHandler.aspx_GET" verb="GET" path="CrystalImageHandler.aspx" type="CrystalDecisions.Web.CrystalImageHandler, CrystalDecisions.Web, Version=13.0.2000.0, Culture=neutral, PublicKeyToken=abc" preCondition="integratedMode"/>
    </handlers>
    <httpProtocol>
    <customHeaders>
    <add name="Cache-Control" value="no-cache, no-store, must-revalidate"/>
    <!-- HTTP 1.1. -->
    <add name="Pragma" value="no-cache"/>
    <!-- HTTP 1.0. -->
    <add name="Expires" value="0"/>
    </customHeaders>
    </httpProtocol>
    <httpErrors errorMode="DetailedLocalOnly" defaultResponseMode="File" >
    <remove statusCode="403" />
    <error statusCode="403"
    prefixLanguageFilePath="c:\inetpub\custerr"
    path="403.htm" />
    </httpErrors>
    </system.webServer>

    Even i changed the web.config of the application server itself but still same html 403 is displaying. Kindly advise.

    Once again Thank you.

    Tuesday, February 14, 2017 5:53 AM
  • User-2057865890 posted

    Hi Ziyadsalim,

    https://myserver/Login.aspx/%5c../%5c../%5c../%5c../%5c../%5c..

    Dot in the URI path, where a request that contains a dot other than that for the resource extension will be rejected.

    reference: https://blogs.iis.net/nazim/use-of-special-characters-like-in-an-iis-url

    Best Regards,

    Chris

    Wednesday, February 15, 2017 6:51 AM