Welcome to HostingForumz.com!
FAQFAQ   SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

"Forbidden (Invalid URL)"

  
   Web Hosting Problem Solving Community! (Home) -> IIS RSS
Related Topics:
403 forbidden - I'm setting up a new 2003 server. I installed IIS because I have a basic Website (just a couple simple html files) to share with the LAN behind the firewall - not available to Internet. I get 403 forbidden on computer. I gave read rights to..

403 Forbidden - Our VB program downloads an XML file from a URL on our website to our client's machine using HTTP control. When it does that, it got the following error: "403 Forbidden - The ISA Server denies the specified Uniform Resource Locator (URL). (12202)

403 Forbidden - Operating System: Server 2003 Client XP IIS: 6.0 Code VS 2005 C# Smart Client All on current Service Paks. I am running the site set up as SSL that requires client ..

IIS 5.0 and Http 403 forbidden - Hi Since yesterday my W2K server with IIS 5.0 doesn't work. When I try to retrieve a web page on the server I receive the message HTTP 403 I all the on the folders but they are ok. Moreover the FTP sites work..

ASP pages forbidden in IIS - hi I have a web page running in IIS webserver I could be able to run some ASP Pages but when I click on the link on these pages to forwarded to some other ASP pages, IE show that 403 you are not to view this Does any..
Next:  Php IIS 6 cgi-bin  
Author Message
anonymous1147

External


Since: Feb 08, 2004
Posts: 1



(Msg. 1) Posted: Sun Feb 08, 2004 3:01 am
Post subject: "Forbidden (Invalid URL)"
Archived from groups: microsoft>public>inetserver>iis (more info?)
Hello,

I've been using IIS 5.0 for years, and based many of my
web implementations on using "http://servername/../" to
force the client back to the root of the web site. I
realize that ../ is not something a HTTP server is
technically supposed to process, but at least IIS5 was
smart enough to know that I intended it to serve the root
web site. IIS6 only returns "Forbidden (Invalid URL)."
Is there any way to make ../ work the way it used to?

It's more secure this way? Hah--at least my whole
intranet site used to work. It is not like "../" is a
seriously malformed directory.

Thanks.

 >> Stay informed about: "Forbidden (Invalid URL)" 
Back to top
Login to vote
anonymous131

External


Since: Oct 17, 2003
Posts: 720



(Msg. 2) Posted: Mon Feb 09, 2004 8:48 am
Post subject: "Forbidden (Invalid URL)" [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Are you talking about links in html? Why not just use the
root slash.

<a href="/filename.html">

doug
 >-----Original Message-----
 >Hello,
 >
 >I've been using IIS 5.0 for years, and based many of my
 >web implementations on using "http://servername/../" to
 >force the client back to the root of the web site. I
 >realize that ../ is not something a HTTP server is
 >technically supposed to process, but at least IIS5 was
 >smart enough to know that I intended it to serve the
root
 >web site. IIS6 only returns "Forbidden (Invalid URL)."
 >Is there any way to make ../ work the way it used to?
 >
 >It's more secure this way? Hah--at least my whole
 >intranet site used to work. It is not like "../" is a
 >seriously malformed directory.
 >
 >Thanks.
 >.
 ><!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: "Forbidden (Invalid URL)" 
Back to top
Login to vote
someone9

External


Since: Aug 25, 2003
Posts: 2419



(Msg. 3) Posted: Tue Feb 10, 2004 6:13 am
Post subject: Re: "Forbidden (Invalid URL)" [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
It's not a matter of IIS5 being smart as much as it's just broken and
waiting to be taken advantage of

Using "../", aka"parent path traversal", is a known cannonicalization-based
security vulnerability. In fact, it is a part of the vulnerabilities that
CodeRed/Nimda tried to exploit.

The right thing is to fix your code such that it doesn't look like nor rely
on security vulnerabilities to function. This is an example where a
"feature" is both a security and compatibility issue, and we chose security
with no alternatives. Sorry to tell you, but your website was broken all
this time, so you should probably fix it.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"EW" <anonymous.DeleteThis@discussions.microsoft.com> wrote in message
news:be9501c3ee19$cea0e5b0$a101280a@phx.gbl...
Hello,

I've been using IIS 5.0 for years, and based many of my
web implementations on using "http://servername/../" to
force the client back to the root of the web site. I
realize that ../ is not something a HTTP server is
technically supposed to process, but at least IIS5 was
smart enough to know that I intended it to serve the root
web site. IIS6 only returns "Forbidden (Invalid URL)."
Is there any way to make ../ work the way it used to?

It's more secure this way? Hah--at least my whole
intranet site used to work. It is not like "../" is a
seriously malformed directory.

Thanks.
 >> Stay informed about: "Forbidden (Invalid URL)" 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting Problem Solving Community! (Home) -> IIS All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]