500 Internal Server Error IIS7 Encoded url - asp.net

Im using N2Cms and am looking in to some issues i have with it. It has a navigation panel on the left hand side that loads via ajax as you expand the tree.
The code that gets the childeren of the node calls an ashx file with some parameters. One parameter is for a path and contains slashes in it. For this reason it has been encoded.
.../cms/Content/Navigation/LoadTree.ashx?target=preview&selected=%252fhome%252fhelp-and-advice%252f
I have had no issues with this on my development server (running iis 7.5) but when deployed to our test server (iis7) the navigation fails to work.
Investigating this has shown that the above url gives a 500 error.
If i decode the url to
.../cms/Content/Navigation/LoadTree.ashx?target=preview&selected=/home/help-and-advice/
it works with no problems.
Unfortunately i cannot change the code that generates this as its a part of the n2cms source code and i am assuming it has been encoded for a good reason.
Does anyone know anything i can do either in my web.config to allow encoded parameters or something i can change on the iis server?
EDIT:
So this link seems to suggest that its doing this on purpose as a security mesure.
http://msdn.microsoft.com/en-us/library/ee656542.aspx
The suggested solution is to upgrade to .net 4.0 and add the following to the web.config
<configuration>
<uri>
<schemeSettings>
<add name="http" genericUriParserOptions="DontUnescapePathDotsAndSlashes"/>
</schemeSettings>
</uri>
</configuration>
Unfortunately this seems to have no effect.
Any Ideas why this doesnt work?

This could be the URLScan utility. URL Scan blocks URL's based on the rules in it's config file. It also has it's own log file, so you can tell for sure by looking at the URLScan log.
Do a google search for URLSCan default location.

It seems your url goes through 2 html encode.
Is there some url rewriting module active on your IIS7 server ?

OK, im getting somewhere with this.
When trying to find the error in the IIS logs and failing, then looking through many posts about failed tracing request and still not getting any errors in iis, i figured that the request was just not getting to IIS.
Looking back at the server error, there was a clue there too.
500 Internal Server Error. The request was rejected by the HTTP filter.
It is the firewall!!
We have disabled the HTTP Filter and now it works :)
I now need to investigate what this HTTP Filter was supposed to be protecting us against and are we secure now we have switched it off.

Related

Manually added WebResource.axd - Any security implications?

I added WebResource.axd (empty file) manually in production environment (IIS7 and Windows Server 2008) after chrome and firefox was giving error 404 for WebResource.axd. And now it is working fine, even with parameters. I am not sure why ASP.NET generating this script in final render result (no problem with VS2008), but now it is working. I want to know, is there any security implications other than what normally associated with WebResource.axd as it is in root directory?
Thanks
I also had this issue recently, after a code change WebResource.axd stopped working for my site. Basically, it exposes dynamic resources over http. For a longer explanation visit:
Just where is webresource.axd?
Typically, what happens is that one of the dynamic resources being requested has failed, but the resource name is encrypted. This blog post will help you decrypt the name, use it and the query string of your failing webresource.axd?___ request to figure out where the error is coming from.
Telerik webresource troubleshooting

Possible bug/issue in ASP.NET 3.5 related to Request.RawUrl property

I posted a query for 301-redirect using ASP.NET 3.5 here:
Redirecting default.aspx to root virtual directory
Based on the replies I got there, I realized there might be a bug in ASP.NET's Request.RawUrl method which is unable to return the actual raw url (without /default.aspx) when being used in a sub-directory, i.e. the /default.aspx page is inside a subdirectory.
Can someone please shed some light on this possible bug?
Thanks,
Asif
i found a good explanation here
http://codeasp.net/blogs/vivek_iit/microsoft-net/873/301-redirect-from-default-aspx-to-site-root
Thanks
If you suspect this is a bug, then the place to go is Microsoft Connect, where you can report and discuss the bug directly with Microsoft.
Edit: I was able to reproduce the look per your comments.
I was unable to reproduce the infinite loop, however. I injected code into the Global.asax Application_BeginRequest handler of a web application and got the expected behavior of a single redirect.
There are other, and IMO much better, options for handling global redirect rules. On IIS7, I use the URL Rewrite module to configure rewrite rules in IIS. You can read more about it and download it here: http://www.iis.net/download/urlrewrite. The appeal of a solution such as this is that you can customize and update your rewrite rules without recompiling the application.
Edit: I was able to retrieve the raw URL without the default.aspx (after the redirect) by using instead:
Request.ServerVariables["CACHE_URL"]
It's worth a shot.
Have you looked at the IIS settings for your virtual directory? If there is a default document set to default.aspx then this will explain the infinite loop that you are experiencing. You are telling the website to redirect to the virtual directory without the "default.aspx" and IIS is detecting this on the next request and putting it back in ad infinitum.
Right click your virtual directory, select Properties and then the Documents tab. If default.aspx is in the list then that is what you will get. The Url of the request will be passed to the ASP.NET worker process as /folder/default.aspx rather than /folder/
This is not a bug. If IIS didn't do this, you would get a page not found error.
Sounds to me like you need to investigate URL rewriting: http://msdn.microsoft.com/en-us/library/ms972974.aspx

Global.asax not firing for .aspx pages in IIS7

We run a link redirection service which can handle links thrown at it in various formats. One of these formats is to append the destination URL to the end of the link, for example
http://url.fwd/abcd/http://www.mydomain.com/page.aspx
This was working on a Windows Server 2003 / IIS6 box for the last two years, but now we're trying to move to a Windows Server 2008 / IIS7 setup and its not working anymore.
I've read about the problem with colons in the URL but it doesn't affect pages not ending in '.aspx'. For instance,
http://url.fwd/abcd/http://www.mydomain.com/page.php
would redirect fine.
http://url.fwd/abcd/http//www.mydomain.com/page.aspx
also works fine (note the lack of a second colon). Despite being the wrong URL, it does get handled by our URL forwarding system, which uses a custom 404 page. On the old system, we had a similar problem, so a method was written in Global.asax > Application_Error specifically to handle the '.aspx' case, and it worked fine.
On our new server, the Application_Error never gets thrown in Global.asax. Instead, I get a System.NotSupportedException - "The given path's format is not supported". This System.NotSupportedException is the exact case we handle in the Global.asax page, so it's definitely not being fired.
I've changed the registry keys indicated in several forum posts,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET VerificationCompatibility=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP|Parameters AllowRestrictedChars=1
I've tried changing the Handler Mappings settings for .aspx.
I've tried setting the App pool to use classic mode instead of integrated, but this causes a completely different error where static content such as images and CSS do not display at all. I've checked that static content is enabled in the windows features, and it is.
Under classic mode, the '.aspx' request throws two Bad Request errors with absolutely no information whatsoever. The code of the error page I get is literally
Bad Request<html><body>Bad Request</body></html>
UPDATE: I've changed the static file Handler Mapping to the form found in this page
http://improve.dk/blog/2006/12/11/making-url-rewriting-on-iis7-work-like-iis6
However, as the author rightly points out, this is a hack and not the correct way of doing things under IIS7. It also only fixes the static file problem in classic mode. '.aspx' pages still throw an error under classic mode.
Any thoughts or input would be greatly appreciated at this point.
IIS 7 Solution
The easy solution in IIS 7 is to add a setting in your web.config file to tell IIS to process all requests through your Global.asax events. Just add or change this section in your web.config to enable requests:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
In my case, I was publish my site in production and I miss copy to server App_global.asax.compiled file. For this reason was not fire the Events inside Global.asax.
Hope anyelse help this tips, I lost 8 hours seeking.

Request Filtering/URL rewriting with IIS7 - not working

I cannot get the URL rewriting module to work on my local PC (vista x86)
i set up a new rule using the 'user friendly url' template.
a picture rather than 1000 words....
(the image contains 3 shots - creation, config and pattern test)
http://www.sk8loc8.com/rewriteIssue.jpg
so now that is setup if i request 'localhost/iisrewriteurl/content/5 i should see my content.aspx page.
nope...
Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Detailed Error Information
Module IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL IISRewriteURL/content/5/
Physical Path C:\Users\Guy\Documents\Visual Studio 2008\Projects\IISRewriteURL\IISRewriteURL\content\5\
Logon Method Anonymous
Logon User Anonymous
When i go back into the rule itself and test the patterns that IIS made for me, they do not work..
I have tried adding a wildcard script map under the handler mappings section but this makes no difference.
Has anyone seen this type of behaviour before? Or am i missing something very simple?
If you test the pattern you dont need the Host
I always just create Blank Rules and not had a problem that way since not sure if it matters though. I cannot discover why that rewrite wouldnt work perhaps other rules are blocking it?
Alternatively you may have a look at Helicon Ape product that emulates Apache modules behavior on IIS7. It has simpler syntax and Helicon Ape Manager automatically checks the syntax of the rules you write.

Why would an aspx file return 404 ("The page cannot be found")

Why when I access an aspx (e.g., http://www.example.com/foo.aspx - not the real site) through IE6 would I get a 404 Error (i.e., "The page cannot be found") in IIS6
I've got scripts enabled for the website and I've tried with executables enabled as well.
Here is the full error:
The page cannot be found
The page you are looking for might have been removed, had its name changed, or
is temporarily unavailable.
------------------------------------------------------------------------------
Please try the following:
Make sure that the Web site address displayed in the address bar of your
browser is spelled and formatted correctly.
If you reached this page by clicking a link, contact the Web site
administrator to alert them that the link is incorrectly formatted.
Click the Back button to try another link.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
------------------------------------------------------------------------------
Technical Information (for support personnel)
Go to Microsoft Product Support Services and perform a title search for the
words HTTP and 404.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for
topics titled Web Site Setup, Common Administrative Tasks, and About Custom
Error Messages.
I can get to Default.htm in the same directory, so I know the path is right. I've opened it up to everyone (temporarily) so I know the permissions are right.
It could be a lot of things. I had this issue today because .NET had not been re-initialized after installing IIS (aspnet_regiis -i -enable or equivalent).
Check that the anonymous user under which the site runs has read access to the file foo.aspx.
IIS6 and later uses a 404 response, thereby not letting an attacker know whether such a file even exists.
I just happened to find another culprit for this issue. My foo.aspx page referenced a particular master page that had a <%# Register %> directive to a user control that did not exist. Removing the reference to the non-existent user control caused my foo.aspx to load instead of 404.
I found a solution here.
The real catch was using this:
Response.TrySkipIisCustomErrors = true;
The site is pointing to a different directory where the page is not.
It could be permissions, however I would think you would get an access error instead.
I'm assuming you are running IIS.
Check that www.example.com is going to the site that you think it is.
If you are hosting multiple sites on the same IP using host headers you may want to double check the name you are using is going to the site you think it is.
Ray and Joe probably have it. In order to serve any file type, IIS has to have a mapping for it. Aspx files require that they be mapped to the AspNet ISAPI dll, which the .Net installation normally takes care of. If you install IIS after .Net (and I'm sure there are other situations), you have to initiate this yourself by running aspnet_regiis.
ALTERNATE SOLUTION (same error perhaps different cause).
I had installed Visual Studio 2008 Pro without SQL Express it, and it caused this same error. Reinstallation of VS2008 with sql express included seemed to have corrected the problem, or perhaps the install took other actions. I did try to register ASP.net numerous times prior but no luck however it is definitely the most probable cause Just posting my experience for those pulling their hair as I was..
Thanks
If you register the .NET 4 version of IIS, you may find it's grabbed the registration of the aspx extension. If ASP.NET v4 is prohibited then 404 will be returned
I had this issue where some customers were reporting the 404.0 and some didn't have the problem at all(same page). I was able to navigate to any of the pages with no problems from my machine. Some customers would refresh and it would go away. I am using .Net 4.5.2 and IIS 7.5.
Looking at the IIS log file I would see:
sc-status sc-substatus sc-win32-status
404 0 2
sc-status.sc-substatus: 404.0 - Not Found
sc-win32-status: 2 - ERROR_FILE_NOT_FOUND
https://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx
https://en.wikipedia.org/wiki/HTTP_404
I found the problem was I had deployed a new version of the website in which the old version of the website had RouteConfig.cs/FriendlyUrlSetting setup by creating a project using the web forms template. The new version was created using an empty template. So obvious to me now.. no URL routing. Customers had a cache issue with certain pages on their machine(no .aspx extension) and having them clear browser data ultimately fixed the problem.
I got this issue when I tried using a different drive to host my apps. I ended up moving them to the wwwroot folder because it was working there and I did not have to time figure out why it is not working on the E:\ drive.
I had bin\roslyn compiler missing. Adding that all worked fine.
Check for double quote errors. I started getting a 404 on a single page because I accidentally had this:
<asp:TemplateField HeaderText="ImageURL"">
instead of this:
<asp:TemplateField HeaderText="ImageURL">
For an aspx page, error 404 can be quite misleading! I have seen all the answers and they presuppose assuming various issues with the file, page, path, etc. but the simplest issues is the fact that if there is an error in your asp page (i.e bad format, improper usage of control, etc. asp will think the page does not exist and will post a 404 when in all actuality, it is easy to ascertain if there is a bad format by simply clicking on design mode. If the page does not render no need to do anything else but look at what is causing the render error, fix and viola'! Your page shows since it was never missing or can't be found, but it simple did not know how to display! Too often people go looking for the wrong solutions and waste so much time! Hope this helps somone. :-)

Resources