I have a vb.net program that is called as part of a payment authoristation process. It receives a GET parameter.
If the contents of the parameter includes the text 0x anywhere then I get a 404.19 error.
I have no control over what is put in the GET parameter. I can restrict whatever I do to be applicable to calls from just one site.
I think I need to alter the filtering rules but I obviously want to take care not to leave my site vulnerable in any other way.
I have no access to IIS console and must handle this with web.config.
Please can somebody tell me what to put in the web.config.
This error comes from request filtering. Put the below code in web.config to clear all previous filtering rules. This will solve the problem.
<system.webServer>
<security>
<requestFiltering>
<filteringRules>
<clear />
</filteringRules>
</requestFiltering>
</security>
</system.webServer>
Related
My application using spring rest and deployed in Azure server. Created rest apis using spring rest.
Am able to access all rest urls, except in one scenario.
for eg: http://mydomain123.com/api/abc , http://mydomain123.com/api/xyz/abc
Am able to access above urls
http://mydomain123.com/api/bin , http://mydomain123.com/api/xyz/bin , http://mydomain123.com/api/bin/dfdff
But above urls having bin word with which am getting below error:
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
I am trying as below,but not working at all:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Main Rule" stopProcessing="true">
<match url=".*" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Please someone help me out to fix above issue (I should be able to access rest apis even having word "bin" in it)
Please make sure to place the web.config file at the root of the application folder.And after making changes try to restart the application.
Also check this for matching pattern .
Also check to allow wide range of urls by allowing CORS in any of the ways mentioned in references here
spring-boot-security-cors
how-to-enable-spring-boot-cors-example-crossorigin
/spring-boot-security-cors
ex:
registry.addMapping("/*")
.allowedOrigins("*").allowedMethods("*");
And as a workaround try to add
<system.webServer> <modules runAllManagedModulesForAllRequests="true"/> </system.webServer>
in web.config
I want to create a default document called default and in that document I want it to rewrite the URL so instead of going www.bob.com it should instead go to www.bob.com/uv
Right now this is being done through URL rewrite rules, with patterns and all kinds of complications. I saw this done directly in the default document once, I cant remember if it was default.htm or .html or .aspx, using one line of code and I was very intrigued but I have not found it since then and no good examples have come up in my google searching. Does anyone have a link or could write the single line of code to add \uv to the url? Is there a really good example of it anywhere?
You can add which ever default page you want from IIS Manager -> -> Default Document - > Add (on right side) or by adding below in your web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<add value="default.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
However this is a rewrite i.e. this will load default.aspx when you browse www.bob.com (URL remains same but the page is actually loaded).
If you want to actually change the URL (redirect) then with the same configuration above this below line in default.aspx
<%Response.Redirect("home.aspx")%>
Ok, so on my new site bob.testing.com, I set it up as anonymous authentication. Under it, i have a folder called apps. That's not an app, and there's no configuration on it. Under apps, I have a folder called MyApp. Originally, I set this up as Windows Authentication, but later I needed to update it to Anonymous. If I rename this folder to MyApp2 and create the application it works with Anonymous Authentication. When I rename it back... it sends back 401. I've tested with Fiddler, tried changing browsers, had someone else at work try it. Same results. I've tried recycling app pool, changing app pool, restarting IIS...
Anyone know how to delete whatever information IIS has cached about this application? I'd prefer not to have to rename and refactor my other apps for this item.
So, after posting; I actually looked here:
C:\Windows\System32\inetsrv\config\applicationHost.config
It was listed with two location path's. I ended up just deleting both and then setting it up again as an application. It appears to be working for now...
Looked something like this:
<location path="bob.testing.com/apps/MyApp">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
We have a problem occuring on some of our developer workstations: when visiting a URL without a filename (e.g. http://localhost/), IIS 7 returns a 404 error. Everyone is running Windows 7/IIS 7.5 and ASP.NET 4.0. The application pool is configured to use Classic pipeline mode.
Default documents are enabled, and default.aspx is in the default document list.
I enabled failed request tracing, and see this in the log:
OldHandlerName="", NewHandlerName="ExtensionlessUrl-ISAPI-4.0_64bit",
NewHandlerModules="IsapiModule",
NewHandlerScriptProcessor="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll", NewHandlerType=""
Later on, I see that this IsapiModule is rejecting the request:
ModuleName="IsapiModule", Notification="EXECUTE_REQUEST_HANDLER", HttpStatus="404",
HttpReason="Not Found", HttpSubStatus="0",
ErrorCode="The operation completed successfully. (0x0)", ConfigExceptionInfo=""
It looks like IIS thinks the ExtensionlessUrl-ISAPI-4.0-64bit should be handling the request. When I look at that module's configuration, it shows that it should be matching path *., so I'm confused why it is matching no path.
A Google search turns up this post on the IIS.net forums from 2005. Unfortunately, no solutions are offered, just an acknowledgement of the problem.
When I update my app pool to use integrated mode, the problem goes away. Unfortunately, it has to run in Classic mode.
What can I do to get IIS to server our default documents again?
It looks like Microsoft released an update that enables the ExtensionlessURL HTTP handler to work with extensionless URLs. Unfortunately, this breaks certain other handlers. In my case, the DefaultDocument handler under classic app pools. The solution is to remove the ExtensionlessURL handlers in our application's web.config:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrl-Integrated-4.0" />
</handlers>
</system.webServer>
I solved the problem with putting the "StaticFile" handler in HandlerMapping in front of "ExtensionlessUrlHandler-*"
I noticed when removing the managed .NET framework (4.0) from the application pool, it fixed the problem for me too!
We don't use .NET at all in our IIS environment!
I use the following rule in web.config URL Redirect as workaround to solve this:
<system.webServer>
<rewrite>
<rules>
<rule name="Default document rewrite" stopProcessing="true">
<match url="^(.+/)?$" />
<action type="Redirect" url="https://{HTTP_HOST}/default.aspx" />
</rule>
</rules>
</rewrite>
</system.webServer>
Changing the StaticFile order helped to fix the issue, when setting default document to a web site application in IIS, while the root website also had another default document.
Adding the DefaultDocument component to IIS in add/remove windows features and then inserting the name of my default script ( index.php) worked for me.
When used at site level, the IIS7 URL Rewrite 2 module saves its configuration in the web.config file of that site. I'm using Sitecore CMS, and best practice is to store any web.config customisations in a separate config file for ease of upgrading, staging/production setups etc.
Is there any way to specify a different config file for IIS7 redirects?
I know that application-level rewrites are stored in ApplicationHost.config, but I have several sites running on the server and would like to keep them separated.
Thanks, Adam
In order to support this best practice you've mentioned, Sitecore implements pluggable configs, but only for the elements inside <sitecore> section of web.config. So, unless IIS7 URL rewrite provides some way to move its stuff to a separate config (like ASP.NET does for connectionstrings.config), I'm afraid you'll have to keep it in the main web.config file.
Sorry if I'm saying obvious things.
You can also try to use rewrite maps
<rewrite>
<rewriteMaps configSource="rewriteMaps.config" />
</rewrite>
Sample rewriteMaps.config file:
<rewriteMaps>
<rewriteMap name="CustomRewrites" defaultValue="">
<add key="/instructions" value="/documents" />
</rewriteMap>
</rewriteMaps>
I'm not familiar with the url rewriting config, but I have an example of moving the url mapping to a separate file:
<urlMappings configSource="config\urlMappings.config"></urlMappings>
And that file looks like the following:
<?xml version="1.0"?>
<urlMappings enabled="true">
<add url="~/somedealer" mappedUrl="/?theme=4" />
<add url="~/someotherclient" mappedUrl="/?theme=12" />
</urlMappings>
I'm sure the url rewriting works the same way.