2

I installed UrlScan a few days ago and it seemed to be working fine, however in the log I saw it was blocking lots of files from websites that I didn't want (Explanation here)

It's blocking files with Dots in the URL (Especially assets like .js files and .css files). So it broke a lot of sites.

So I changed the following as per the docs and that blog post.

AllowDotInPath=0

to

AllowDotInPath=1

And restarted IIS, but nothing changed. It's still blocking Dots in paths. And then I restarted the entire server... And guess what. It's still blocking dots in path?

I have no idea what to do next, apart from un-install it? Anyone else this issue?

YodasMyDad
  • 329
  • 6
  • 14

2 Answers2

2

It appears there has to be a blank line before the [Options] section. Without this blank line I was not able to get any of the settings in this section to work, as soon as I i added it everything worked fine.

It is also possible to replace the first blank line by a comment (starting with ;).

Tested with UrlScan 3.1 and IIS 7.5

Waldfee
  • 121
  • 4
1

You can also just remove URLScan from the ISAPI filters for that specific website, if you don't want the vulnerability affecting the whole server.

IIS Manager / Server / Sites / YourSite / IIS / ISAPI Filters, select "URLScan" and click "Remove" on the righthand action menu.

Alex
  • 71
  • 4