RequestFiltering不适用于MS-DOS设备名称路径 [英] RequestFiltering not working for MS-DOS device name paths

问题描述

我正在努力安抚我们最近做过的PCI扫描失败，其中声明：

I'm trying to appease a PCI scan failure we recently had done, in which it states:

Microsoft ASP.NET MS -DOS设备名称DoS

Microsoft ASP.NET MS-DOS Device Name DoS

概要：
远程Web服务器使用的框架具有拒绝服务漏洞。
影响：
远程主机上运行的Web服务器似乎使用Microsoft
ASP.NET，并且可能受到拒绝服务漏洞的影响。请求包含MS-DOS设备名称的URL
可能导致Web服务器暂时无法响应
。

Synopsis : A framework used by the remote web server has a denial of service vulnerability. Impact: The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the web server to become temporarily unresponsive.

简而言之，我们访问了应用程序中的URL，例如 /AUX/.aspx 我们收到500错误。

In a nutshell, we visit a URL on our app such as /AUX/.aspx we get a 500 error.

我正在使用RequestFiltering来过滤这些请求，而是返回404，而不是服务器尝试处理请求。

I'm using RequestFiltering to filter these requests out, and return 404's instead, without the server trying to process the request.

我的web.config的摘录如下：

An excerpt of my web.config is below:

<system.webServer>
    <security>
        <requestFiltering>
            <denyUrlSequences>
                <add sequence="/AUX/.aspx" />
            </denyUrlSequences>
        </requestFiltering>
    </security>
</system.webServer>

然而，这不起作用，它仍然会返回500.

However, this isn't working, it's still returning a 500.

我希望它能返回404.

I would expect it to return a 404.

如果我将以下catch-all网址添加到 denyUrlSequences 然后整个网站产生预期的404.

If I add the following catch-all url to the denyUrlSequences then the whole site produces the expected 404.

<add sequence="/" />

值得一提的是，有问题的应用程序是在IIS 7.5上运行的MVC应用程序（Windows 2008 R2）

It's worth mentioning the application in question is an MVC app running on IIS 7.5 (Windows 2008 R2)

推荐答案

只需要解决这个问题。

我的解决方案是禁用.Net错误页面并启用IIS错误页面。

My solution was to disable .Net Error Pages and enable IIS Error Pages.

当您将自定义错误处理从较高的.Net级别移动到较低的IIS级别时，HTTP响应代码将从500到404。

When you move the custom error handling from the higher .Net level to the lower IIS level the HTTP response code changes from 500 to 404.

PCI测试通过： - ）

PCI Test Passed :-)

这篇关于RequestFiltering不适用于MS-DOS设备名称路径的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！