So... we have a custom CMS. We have a rewrite rule that any page request (when a file doesn't exist) goes to the root/index.cfm file. There we search our DB for the page in question. If the page exists, we serve up the correct template,etc. If the page doesn't exist I want to server up a 404 page. Now I "think" I cannot do this in IIS since I need to handle the request in CF, so it has to get through. The file will always exist. When the page doesn't exist I've tried using <cfheader statusCode="404" > and then include some html, it puts The resource you are looking for has been removed, had its name changed, or is temporarily unavailable. at the top of the page before my html. In order to get it to display the page I had to remove the 404 status code handler from IIS.
In addition when I fetch as Google, it get's a 301. However when I view response headers in Firefox I get.
Transfer-Encoding: chunked
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 16 Jan 2013 21:31:42 GMT
404 Not Found
I've tried a combination of redirecting and all sorts of things. I open to letting IIS handle the 404, if there is a way, but I cannot figure out how to get Coldfusion to correctly deliver a 404 so Google gets it right. Webmaster tools gets mad at me because I am delivering "Soft 404s" before this point, so I am trying to fix that.
I've also tried setting <httpErrors existingResponse="PassThrough" /> whatever the hell that does, but didn't work either. I've been looking up other threads trying to figure this out and just can't.
EDIT: Looking further into this, viewing the header info in both Firebug & Chrome I clearly see the headers say 404. Why would Fetch as Bing and Fetch as Google say differently?
I tested the fact that if I add .cfm to the URLs, it Fetch as Google will deliver see 404. However without the .cfm, it thinks it's 301. Firebug sees both as 404. This seems like a Google issue.
ANSWER Kind of:
So I was doing more testing this morning (Right after I added a bounty actually), and I noticed in webmaster tools, Google correctly noted one of my pages as a 404. So I started looking into it. I have an "Add Trailing Slash Rule". Google notices domain.com/page as a 301 (Correct I guess) to domain.com/page/. But it does notice domain.com/page/ as a 404. I think using the trailing slash rule as I have it is the right way, however, should I be doing something different, or is using the redirect with the slash the "correct" way of doing things, even though Google wants to ding me for it sometimes.
I'm not entirely sure I follow the specifics of your approach, so I will give you a few things that you need to look at in order to get this approach working well (or at least what has worked best for me).
Under "Error Pages", make sure that your 404 error page is set to "Execute a URL on this site" ( I generally set mine to something like "/404.cfm"). This will make sure that your ColdFusion page is called correctly for 404 pages (it sounds like you have this working correctly).
Under "Handler Mappings", double-click on the handler for ".cfm". Then click the "Request Restrictions..." button. It should open to the "mappings" tab. The "Invoke handler only if request is mapped to:" checkbox should NOT be checked.
This can really trip up this sort of operation because it means that IIS won't invoke ColdFusion if the file doesn't exist. This shouldn't be an issue if your 404 is set up correctly, but still something to look into.
While you are in the "Handler Mapping" section, look for the IsapiModule with a path of "*". Mine is always set to ColdFusion - not sure if that makes a difference or not.
The other thing to look at is the "Default Document" setting. Keep in mind that this could impact you when forwarding to a folder.
You might also look at your rewrite rule again and make sure it isn't adding slashes where one already exists.
Related
Here's the thing. I'm trying to protect my server from XSS Attacks (And so far with no trouble at all, changing HTTP response Headers and other things) But a Generic vulnerability is still going on, and it happens because in the URL some javascript code can be inserted
(i.e. http://myhost.com/thisfile.jsp?<script>alert("hello")</script> )
when I type this, the response is HTTP 202 OK Status (It redirects to my 404 page). But I need to do one of these actions:
throw another HTTP Status (405, 500, Or any status giving an error)
Throw an error.
What can I do? Is there any way to strip the tags or recognize them via web.config file to throw an error?... I've been trying with the rewrite module and the request filtering with no success at all.
Thank you so much in advance, regards.
Thank you... I solved it and it was so easy (I can't believe i didn't try that first).
I went to IIS manager and then click on request filtering.
Then, on the "Rules" tab I added a "Filtering Rule". Applying to all file extensions and in the field "Deny Query String" I added <script>, <scr+ipt>, etc. So when the URL comes with a tag like that the connection is closed without showing 404 or any error page.
It worked and now the vulnerability scanner doesn't show any risk.
update
Here is the situation:
I'm working on a website that has no physical folder structure. Nothing had been planned or controlled and there were about 4 consecutive webmasters.
Here is an example of an especially ugly directory
\new\new\pasite-new.asp
most pages are stored in a folder with the same name as the file, for maximum redundancy.
\New\10cap\pasite-10cap.asp
\QL\Address\PAsite-Address.asp
each of these [page directories]? (I don't know what else to call them) has an include folder, the include folder contains the same *.inc files in every case, just copied about 162 times for each page directory. The include folder was duplicated so that the
<!--#include file="urlstring"--> would work correctly due to lack of understanding of relative paths, and the #inclue virtual directive or using server.execute()
Here is a picture if my explanation was lacking.
Here are some of my limitations:
The site is written in ASP classic
Server is Windows Server 2003 R2 SP2 , IIS 6 (According to my resource)
I have no access to the IIS server
I would have to go through a process to add any modules or features to iis
What changes can I make that would allow me to move pages around and rename them while not breaking incoming links from external sites that still use the poorly formed URLs?
To make my question more specific.
How can I move the file 10cap.asp from \new\10cap\ to a better location like \ and rename the file to someting like saveourhomescap.asp and not break any incoming links and finally, not have to leave a dummy 10cap.asp page in the original location with a redirect to the new page.
Wow, that's a lot of limitations to deal with.
Can you setup a custom error page? If so you can add some code into a custom error page that would redirect users to the new page. So maybe you create a custom 404 page, and in that page you grab the query string variable and based on that send the user to the correct "new" page. That would allow you to delete all of the old pages.
Here is a pretty good article on this method: URL Rewriting for Classic ASP
Well, you have a lot of limitations and especially no access to the IIS server hurts. An ISAPI module for URL rewriting is not an option here (IIS) and equally a custom 404 page where you could read the referer and forward with a HTTP 301 won't work (IIS).
I would actually recommend you to go through the process and let them install:
An ISAPI URL rewriting module
or if that doesn't work (for any reason):
Let them point the HTTP 404 of your web to a custom 404.asp, read the referer and redirect with a HTTP 301 (Moved Permanently) to your new location.
If none of this is an option for you, I can think about another possibility. I haven't actually tried that so I'm not 100% sure if it will work, but in theory it sounds good ;)
You could make in your global.asa in the Session_OnStart event a Response.Redirect or change the header of your response to a HTTP 301. This will actually only work for new users and not fix real 404 errors. Sorry, for the pseudo code, but it's a while ago that I had anything to do with classic ASP and I think you'll get what I mean ;)
sub Session_OnStart
' here should be a Select Case switch or something like that
Response.Redirect("newlocation.asp")
' or if that will work, this would be better (again with switch)
Response.Status = "301 Moved Permanently"
Response.AddHeader "Location", "http://company.com/newlocation.asp"
end sub
Hope that helps.
I recommend using URL Rewrite for that, see the following blog about it, in particular "Site Reorganization":
http://blogs.msdn.com/b/carlosag/archive/2008/09/02/iis7urlrewriteseo.aspx
For more info about URL Rewrite see: http://www.iis.net/download/URLRewrite
You can try ISAPIRewrite since it's classic ASP + IIS6
http://www.isapirewrite.com/
They have a lite version which is free, probably good enough for your use.
urlrewrite will only work if you can install a dll on the server
one of these articles will help
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=qRR&q=url+rewrite+classic+asp&btnG=Search&aq=f&oq=&aqi=g-m1
basically you have to point 404 errors to an error page which will parse the incoming querystring / post info and redirect user to correct location with incoming parameters added.
variations on that theme will be found in the examples fro google.
Without having a url rewriter such as ISAPI_Rewrite available, is it possible to achieve the following:
I would like a user to browse to http://www.jjj.com/directory where /directory does not actually exist. IIS transfers the user to not-found.cfm.
At this point I can serve index.cfm i.e. http://www.jjj.com/directory/index.cfm.
The url will display just fine and the page loads even though the directory or index.cfm doesn't exist. However I'd like to be able to not have index.cfm in the url.
Ideal:
Page Request to http://www.jjj.com/directory
IIS loads not-found.cfm as the default 404 errorhandler.
Not found strips the CGI.query_string and uses cfswitches to funnel the user to the appropriate controller function. May use onMissingTemplate?
The page request never changes in the URL and the page loads transparently the user with 200 OK status
If a user requests http://www.jjj.com/directory/index.cfm I would 301 redirect to http://www.jjj.com/directory
Current:
Page Request to http://www.jjj.com/directory
IIS loads not-found.cfm as default 404 error handler.
Not found strips the CGI.query_string and uses cfswitches to funnel the user to the appropriate controller function.
The page request changes to http://www.jjj.com/directory/index.cfm with a 200 OK status
You're asking how to cut something but telling us you're not allowed to use a knife or anything resembling one.
Here's my only clever idea using onMissingTemplate().
GET /directory/
-> 404.cfm
-> <cfinclude template="#cgi.script_name#/special.cfm" />
-> fires onMissingTemplate() where you ignore the "special.cfm" bit and just use the rest of the requested path to figure out what controller to wire up to.
This is a kludgy hack, though, so I would try to avoid it myself. Maybe if you explain why ISAPI Rewriting isn't an option, then we might be able to help further.
You can tell IIS to have 404 and 403 errors execute a custom URL on your site (such as /urlhandler.cfm).
Then, you can parse the 'cgi.query_string' and route the application anyway you desire using cfinclude to simply include the correct 'template.cfm', or, you can reformat the input your framework is expecting, or, use a project like http://coldcourse.riaforge.org/.
Just one note, IIS will give you a URL that looks like this: '404;http://yoursite.com/the/url/you/wanted/to/route'.
Is IIS7 on the approved list of software? That can get you native url rewriting and side-step the whole issue.
Second option -- my CFM voodoo is rusty, but I think you can setup IIS6 to look for a CFM page (like you are doing) but then step in at the application level and do the url rewriting/repointing before it actually hits the 404 page.
Another way around it -- find an ISAPI url rewriter that is, say, under the MIT license. Build your own copy. Then have them install that as part of your software package.
I'm trying to return a custom 404 page using IIS6. (I have a site that is mostly .shtml pages built using movable type). I have tried it 2 ways:
1) set the 404 error handler in IIS to be type "file" with the path \404.html. This works, but it also means that I can't import the header and footer of my site (hence the .shtml) Trying to point the 404 error handler to 404.shtml results in the default 404 page...i guess IIS can't process shtml files in the 404.
2) set the type to "URL". This works great, except that the response code is no longer 404! Its a 200.
How can I get IIS to respond with a 404 response code with the content of my 404.shtml file?
Given that it's IIS, adding
<% Response.Status = "404 Not Found" %>
to the top of 404.shtml should change the response code to 404.
I am not on a windows machine so I am unable to test it at the moment to verify.
Update:
I was finally able to run a few tests on a IIS 6. As you mentioned in a comment to my post, an .shtml file does not allow script commands to run. So there are at least two ways to work around this:
Instead of naming your custom 404 handling page 404.shtml, name it 404.asp. The user should never see the actual name of the page so it shouldn't cause any issues. Note that "Active Server Pages" must be set to 'Allowed' in the Web Service Extensions folder of IIS.
Modify the page extension mapping for .shtml to use asp.dll instead of ssinc.dll. You can do this from IIS by selecting the website and viewing Properties -> Home Directory tab -> Configuration -> Mappings tab. Note that this is far from an ideal solution because now all your .shtml files will be processed by asp.dll. This could cause your pages to render more slowly (assuming asp.dll processes files more slowly than ssinc.dll due to greater complexity) and violates the principle of least privilege.
If neither of the options fit your situation, then it may still be possible but the solution isn't immediately obvious to me.
In IIS Manager, open the Properties of your Web site (or virtual dir) and go to the Custom Errors tab. There you can set which file is sent in case of each error code, including 404.
Is there any means to track where within code a 404 error is handled?
We have a site that we have taken over that doesn't seem to be reacting as expected.
We have changed the IIS custom errors page to point to the new page we would like but something seems to still be redirecting it to the old 404.htm file in the root of this site. We have not been able to track down where or why this happens.
Any suggestions on how we might find the referring logic?