Menu
I'm having IIS (Microsoft-IIS/7.5) return back a 403 forbidden and I cannot figure out why. I've narrowed it down to %2F but only when a single letter precedes it. Any idea what could be causing this?
These Work...
But if you put any single letter in front of the %2F it fails with a 403.
These Fail...
Thanks!
UPDATE: I have ruled out ColdFusion because this gives the same 403: http://example.com/mySite123/indexdotcfm?x=a%2F
UPDATE:
Top Level IIs:
Checked:
Allow unlisted file name extensions
Allow unlisted verbs
Allow high-bit characters
Unchecked:
Allow double escaping
Request Limits:
Maximum allowed content length (Bytes): 30000000 Maximum URL length (Bytes):
4096 Maximum query string (Bytes): 2048
Sites
mySite123:
Checked:
Allow unlisted verbs
Allow high-bit characters
Unchecked:
Allow unlisted file name extensions
Allow double escaping
Request Limits:
Maximum allowed content length (Bytes): 2147483647
Maximum URL length (Bytes): 4096
Maximum query string (Bytes): 2048
Deny URL
/CFIDE/Administrator
/CFIDE/adminapi
UPDATE: If I change the directory I'm hitting I can make the 403 change to a 404. Example:
This returns a 404 as expected: http://www.example.com/anything.anything?anything=x%2Fanything
This returns a 403: http://www.example.com/mySite123/anything.anything?anything=x%2Fanything
So is it safe to assume the 403 issue has something to do with the "mySite123" virtual directory setup?
207
I am pretty sure you are getting the 403 Forbidden response as a security feature of IIS. This is a known attack vector. The character sequence %2F is simply the URL encoded representation of the / (forward slash) character. Obviously that has special meaning for browsers and the internet. It is used for directory traversal. Encoding special characters in the URL is a hacking trick to bypass some basic security measures. See Path Traversal from OWASP. From the Full text of "The Web Application Hacker Handbook" (about half-way down that page):
Chapter 10 Attacking Back-End Components 575
HACK STEPS
Always try path traversal sequences using both forward slashes and back slashes. Many input filters check for only one of these, when the filesystem may support both.
Try simple URL-encoded representations of traversal sequences using the following encodings. Be sure to encode every single slash and dot within your input:
Dot — %2e
Forward slash — %2f
Backslash — %5cTry using 1 6-bit Unicode encoding:
Dot — %u002e
Forward slash — %u22l5
Backslash — %u22l6Try double URL encoding:
Dot-%252e
Forward slash — %252f
Backslash — %255cTry overlong UTF-8 Unicode encoding:
Dot — %c0%2e, %e0%40%ae, %c0ae, and so on
Forward slash — %cO%af , %e0%80%af , %c0%2f , and so on
Backslash — %c0%5c, %c0%80%5c, and so on...
(The bold is my emphasis)
You could potentially come up with a way to allow this but why would you? I would not recommend it. Do you want to open up your server to potential attacks? I think it would be best to avoid this URL sequence all together. Is the forward slash character really needed in the URL query string? Instead of finding a way to allow this character in the query string perhaps you can use a different one that is not as dangerous and does not expose your server. For that particular URL variable you could look for this different character and replace it with what you need on the server side. Something like:
Instead of
http://example.com/index.cfm?x=a%2Fblah
Use
http://example.com/index.cfm?x=a-blah
Then on the server you know to expect the - (dash) character in the x variable so you replace it with the / (forward slash) character on the server. Or whatever character is needed.
In ColdFusion
<cfset x = Replace(URL.x,"-","/","ALL") />
Just be sure to use some unique character that will not exist in that string. Always remember to sanitize ALL user supplied input on the server.
Here are some references that I found regarding the %2f character sequence being vulnerable in the URL:
Component titles containing '/' (forward slash) characters
IIS URL Decoding Vulnerability
Receive an HTTP 400 error if %2F is part of the GET URL in JBOSS
URL-encoded slash in URL
Generic Google search about the topic
Note that some of the above references are related to web servers other than IIS but they show the vulnerability exists.
Something else you might be able to try is double escaping the sequence. So instead of %2f you have %252F (%25 is a percent sign). But you will need to make changes in IIS to support this as well. Reference - if I name an image with a %2F, I cannot access it and when navigating to it, I get a 404. I think this would be a last resort though. Double Encoding
147
Just to add some specifics to this thread the %2f (which is just an encoded version of the / as previously stated) plagued Microsoft for a while with directory traversal vulnerabilities that allowed hackers to access files outside of web directories. Popular intrusion prevention systems (like Snort) have rules to block this sort of behavior. Here is a detailed write up of the issue along with historical examples of the attack strings and security advisories. That %2f encoding caused a world of pain for web server admins, security admins for years (and variants of the attack are still seen being actively exploited still today).
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
