4

I'm having IIS (Microsoft-IIS/7.5) return back a 403 forbidden and I cannot figure out why. I've narrowed it down to %2F but only when a single letter precedes it. Any idea what could be causing this?

These Work...

But if you put any single letter in front of the %2F it fails with a 403.

These Fail...

Thanks!

UPDATE: I have ruled out ColdFusion because this gives the same 403: http://example.com/mySite123/indexdotcfm?x=a%2F

UPDATE:

Top Level IIs:
Checked:  
  Allow unlisted file name extensions
  Allow unlisted verbs
  Allow high-bit characters
Unchecked:
  Allow double escaping

Request Limits:
Maximum allowed content length (Bytes):  30000000 Maximum URL length (Bytes):
4096 Maximum query string (Bytes):  2048

Sites
mySite123:
  Checked:  
    Allow unlisted verbs
    Allow high-bit characters
  Unchecked:
    Allow unlisted file name extensions
    Allow double escaping

  Request Limits:
    Maximum allowed content length (Bytes):  2147483647
    Maximum URL length (Bytes):  4096
    Maximum query string (Bytes):  2048

  Deny URL
    /CFIDE/Administrator
    /CFIDE/adminapi

UPDATE: If I change the directory I'm hitting I can make the 403 change to a 404. Example:

This returns a 404 as expected: http://www.example.com/anything.anything?anything=x%2Fanything

This returns a 403: http://www.example.com/mySite123/anything.anything?anything=x%2Fanything

So is it safe to assume the 403 issue has something to do with the "mySite123" virtual directory setup?

gfrobenius
  • 3,987
  • 8
  • 34
  • 66
  • Can you show your rewrite rule set? %2F is a forward slash, so this might have to do with rewriting. – Olaf Jan 20 '15 at 21:44
  • 1
    Yes, it just might take some time. I don't have access. I have to request it from someone else. The request has been made. – gfrobenius Jan 20 '15 at 21:48
  • @Olaf there are no rewrite rules. – gfrobenius Jan 21 '15 at 15:47
  • Is the response for http://example.com/index.cfm?y=c%2F (different variable name) also 403? – Nebu Jan 23 '15 at 11:21
  • Are you using [request filtering](http://www.iis.net/configreference/system.webserver/security/requestfiltering) for IIS? If so, what settings have you enabled/disabled there? – Miguel-F Jan 23 '15 at 13:53
  • @Nebu a different variable does throw the same 403, it doesn't have to be "x". – gfrobenius Jan 23 '15 at 16:48
  • @Miguel-F I'll find out. Also forgot to mention this ColdFusion application is installed on many different servers. Many run Apache and many run IIS. All other Apache and IIS servers do not have this issue. It is just this one particular IIS server. It is also behind a F5 BigIp if that helps. – gfrobenius Jan 23 '15 at 16:49
  • @Miguel-F I asked for the request filtering settings, I updated the OP with their response. – gfrobenius Jan 23 '15 at 18:54
  • I did not realize this was only happening on one of your servers. Have you compared settings with one of the other, working, servers? If this server is behind an F5, it could also be that load balancer that is responding to these requests. Have you verified that the request with %2F is reaching the IIS web server (in the IIS logs with the 403 response)? – Miguel-F Jan 23 '15 at 21:53
  • Two questions. 1) Do you have another IIS 7.5 server which is running the same websites that is not having this problem. 2) Can you add the web.config file to your question. – Nebu Jan 26 '15 at 10:36
  • I unmarked my answer as the accepted answer. Today the issue appears to be back. I added an update to the OP, so is it safe to assume the 403 issue has something to do with the "mySite123" virtual directory setup? – gfrobenius Jan 28 '15 at 18:24

4 Answers4

9

I am pretty sure you are getting the 403 Forbidden response as a security feature of IIS. This is a known attack vector. The character sequence %2F is simply the URL encoded representation of the / (forward slash) character. Obviously that has special meaning for browsers and the internet. It is used for directory traversal. Encoding special characters in the URL is a hacking trick to bypass some basic security measures. See Path Traversal from OWASP. From the Full text of "The Web Application Hacker Handbook" (about half-way down that page):

Chapter 10 Attacking Back-End Components 575

HACK STEPS

  1. Always try path traversal sequences using both forward slashes and back slashes. Many input filters check for only one of these, when the filesystem may support both.

  2. Try simple URL-encoded representations of traversal sequences using the following encodings. Be sure to encode every single slash and dot within your input:

    Dot — %2e
    Forward slash — %2f
    Backslash — %5c

  3. Try using 1 6-bit Unicode encoding:

    Dot — %u002e
    Forward slash — %u22l5
    Backslash — %u22l6

  4. Try double URL encoding:

    Dot-%252e
    Forward slash — %252f
    Backslash — %255c

  5. Try overlong UTF-8 Unicode encoding:

    Dot — %c0%2e, %e0%40%ae, %c0ae, and so on
    Forward slash — %cO%af , %e0%80%af , %c0%2f , and so on
    Backslash — %c0%5c, %c0%80%5c, and so on

    ...

(The bold is my emphasis)

You could potentially come up with a way to allow this but why would you? I would not recommend it. Do you want to open up your server to potential attacks? I think it would be best to avoid this URL sequence all together. Is the forward slash character really needed in the URL query string? Instead of finding a way to allow this character in the query string perhaps you can use a different one that is not as dangerous and does not expose your server. For that particular URL variable you could look for this different character and replace it with what you need on the server side. Something like:

Instead of 

http://example.com/index.cfm?x=a%2Fblah

Use 

http://example.com/index.cfm?x=a-blah

Then on the server you know to expect the - (dash) character in the x variable so you replace it with the / (forward slash) character on the server. Or whatever character is needed.

In ColdFusion

<cfset x = Replace(URL.x,"-","/","ALL") />

Just be sure to use some unique character that will not exist in that string. Always remember to sanitize ALL user supplied input on the server.

Here are some references that I found regarding the %2f character sequence being vulnerable in the URL:

Component titles containing '/' (forward slash) characters

IIS URL Decoding Vulnerability

Receive an HTTP 400 error if %2F is part of the GET URL in JBOSS

URL-encoded slash in URL

Generic Google search about the topic

Note that some of the above references are related to web servers other than IIS but they show the vulnerability exists.

Something else you might be able to try is double escaping the sequence. So instead of %2f you have %252F (%25 is a percent sign). But you will need to make changes in IIS to support this as well. Reference - if I name an image with a %2F, I cannot access it and when navigating to it, I get a 404. I think this would be a last resort though. Double Encoding

Community
  • 1
  • 1
Miguel-F
  • 13,450
  • 6
  • 38
  • 63
  • Thanks, I'll read all those links shortly, but %2F in the URL is perfectly legal. Also forgot to mention this ColdFusion application is installed on many different servers. Many run Apache and many run IIS. All other Apache and IIS servers do not have this issue. It is just this one particular IIS server. It is also behind a F5 BigIp if that helps. – gfrobenius Jan 23 '15 at 16:46
  • I agree that %2F is legal in the URL, no question, but you are using it in the query string portion of the URL and I am questioning the need for that. Again, it is valid, but why pass directory/file information that way when you could be exposing information to wondering eyes. – Miguel-F Jan 23 '15 at 21:51
  • It isn't directory/file information. It's the value of a name/value pair. I wish we passed only primary key numeric info around but the app was written by many people over many years, it has 1000s of pages and many still query data like so: `www.example.com?jet=F/18` which becomes: `www.example.com?jet=F%2F18`. This IIS server has worked all along, for many years actually, it just recently started sending 403s. And nobody is saying they changed anything. It's really strange. – gfrobenius Jan 23 '15 at 22:46
  • Did it receive Microsoft security patches? My other question is have you verified that these requests are actually hitting the web server or could they be terminating at the F5? – Miguel-F Jan 24 '15 at 00:32
  • Thanks for your help. I gave a +1. Everything in this answer is good and very helpful. But since my server admins fixed it by installing the latest security update to Java 1.7 (update 25 - 64-bit) I think I should mark that as the answer in case others run into the same issue as me. I'm not sure how points on a bounty work when you answer your own question. If there is a way I could give them to you for all your helpful links and questions I would. – gfrobenius Jan 26 '15 at 15:33
  • 1
    Just read through your fascinating prob / exchange. On the question of bounty - http://stackoverflow.com/help/bounty implies that you'll be able to manually award to @miguel-F in 6 hrs time >> "After the bounty ends, there is a grace period of 24 hours to manually award the bounty. Simply click the bounty award icon next to each answer to permanently award your bounty to the answerer. (You cannot award a bounty to your own answer.)" – J Richard Snape Jan 27 '15 at 14:20
1

The server administrators I have been working with have stated:

"The problem stopped after an update was done to the JAVA.

I installed the latest security update to Java 1.7 (update 25 - 64-bit) Saturday.

After the web server was restarted the problem is now gone."

UPDATE: I accepted this as the answer a few days ago, but now the issue appears to be back.

UPDATE (Aug 31, 2015): Solved. It had nothing to do with what the other answers mentioned. The data center firewall people had some invalid settings/rules in place. I cannot elaborate more than that. Adjusting firewall rules was the fix.

gfrobenius
  • 3,987
  • 8
  • 34
  • 66
1

Just to add some specifics to this thread the %2f (which is just an encoded version of the / as previously stated) plagued Microsoft for a while with directory traversal vulnerabilities that allowed hackers to access files outside of web directories. Popular intrusion prevention systems (like Snort) have rules to block this sort of behavior. Here is a detailed write up of the issue along with historical examples of the attack strings and security advisories. That %2f encoding caused a world of pain for web server admins, security admins for years (and variants of the attack are still seen being actively exploited still today).

Max Worg
  • 2,932
  • 2
  • 20
  • 35
0

All, I was banging my head troubleshooting the TermStoreManager on SharePoint, and figured out that my Managed MetaData Application proxy was fine after viewing the TaxonomySession contents using Get-SPTaxonomySession.

The Term Store Manager page, however, was not displaying any Term Sets for some reason.

The issue happened to be the URL for the javascript for the termstore manager code!

https://SharepointSite/_layouts/15/termstoremanager.js?rev=J%2Fry%2BNGddRWsDNgR25iEFA%3D%3D

The J%2F triggered the Host Intrusion Prevention Service (HIPs) running on my server to block the request as a "Standard SQL Injection" attack.

I'll be talking with my firewall/HIPs guys tomorrow. Thanks for this post! It helped lead me in the right direction to resolve a similar issue.

AdamantineWolverine
  • 2,131
  • 1
  • 17
  • 14