Robert Hurlbut's Blog

Thoughts on .NET, Security, Architecture, Agility, and Databases.

Syndication

.Company / Other Sites / Other Blogs

.NET Links

.NET Local Boston Events

.NET User Groups in New England

Blogs - .NET

Blogs - Agile

Blogs - Architecture

Blogs - CLR

Blogs - Security

Blogs - SQL Server

Blogs - System.Transactions

Enterprise Services (COM+) Resources

Indigo Resources

Microsoft Security Resources

Presentation resources

Recommended Books

Rotor Resources

Security Resources

FlexWiki and URLScan

Last July, I mentioned I installed DevHawk Wiki as our team's Wiki engine.  About a month ago, we decided to upgrade to FlexWiki instead.  It was very easy to move our Wiki pages from one Wiki engine to another.  If you are looking for a low-friction collaboration tool for your group or organization, check out Wiki.  Our team uses it extensively to keep updated on the project (FlexWiki also provides RSS feeds of updated and new pages!).

This week, I moved our Wiki to a new machine (after updating FlexWiki to the latest version), and installed the much recommended security tools IISLockdown and URLScan on a Windows XP box.  What I found was the Wiki was no longer working!  It turned out that URLScan was prohibiting the viewing of pages that have extra “dots” in the URL. 

One of the ways Wiki works is that pages are created as text files with .wiki extensions.  If you have a CoolProject as your Namespace, for example, as a folder location of your Wiki files, and have created a new Wiki page for your name, RobertHurlbut.wiki, for example, then to see the page in FlexWiki, you would use this URL: 

http://localhost/Wiki/default.aspx/CoolProject.RobertHurlbut

Notice the “dot” in the URL.  For URLScan, you can configure the AllowDotInPath filter setting from 0 (default) to 1 in the urlscan.ini file.  This fixed the problem with viewing Wiki pages in FlexWiki.

Note:  Notice that URLScan 2.5 is the latest version.  With IIS 6.0 (only on Windows Server 2003), many of the features of IISLockdown and URLScan are now either built into IIS 6.0 or are better than what is offered by these tools.  In some cases, though, URLScan does offer some out of the box features that IIS 6.0 still doesn't offer.  See this article to determine if you should install it or not on Windows Server 2003:  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/urlscan.asp.  For all other OSs (i.e. Windows NT, 2000, XP), you should install these security tools.

Debug Note:  One other “gotcha” with URLScan is that it watches for the key verbs coming across:  GET, POST, etc.  In order to debug ASP.NET pages, when URLScan is installed, you must add the verb DEBUG in the allowed verb list in the urlscan.ini file (as noted here).

Update:  As Darrell Norton points out on his blog, for .Net, you can download the specific urlscan.ini files for .Net Production and .Net Development servers.  These scripts are featured in the Operating .Net Applications, part of the the excellent Patterns and Practices series from Microsoft.  Thanks again, Darrell.

 

Published Saturday, January 17, 2004 2:57 PM by RHurlbut

Comments

No Comments