RE: IIS Web Server CondomGuys,
The "ultimate" solution actually is to establish a http proxy forwarder from
outside world into DMZ...
My setup is:
Linux firewall running old Pentium system with 32 megs of RAM and 800Mb HDD
Apache web-server running on that linux box and forwarding requests into
DMZ... not just blind forwarding,
but with mod_rewrite/mod_proxy, which allows only URLs conforming to some
regex-match to be forwarded,
else deny.
regex/forwarding code in Apache config for your pleasure(and flaming ;-))
is:
        RewriteEngine On
        RewriteRule ^([a-zA-Z0-9/\.-\_]*)$ http://192.168.0.2$1 [P]
^^^ that mean to forward incoming requests with URLs conforming
^([a-zA-Z0-9/\.-\_]*)$ regex to internal(DMZ) IIS server.
that's all... I'm not kinda vulnerable to any of unicode....blah-blah
attack.
yup, Apache could be just a IIS Condom. Funny, isn't ?
  -----Original Message-----
  From: Thompson, Jimi [mailto:jimi.thompsonVERIZON.COM]
  Sent: Friday, September 07, 2001 6:34 AM
  To: win2ksecadviceLISTSERV.NTSECURITY.NET
  Subject: Re: IIS Web Server Condom

  Steve,

  In all fairness,

  <FLAME>

  <SNIP>
  Are you a developer? Have you ever had to go through thousands of lines
  of code? Have you ever had to think of every possible scenario?
  </SNIP>

  I fail to see where validating data before attempting to process it falls
under having to "considering every possible scenario". We know what is and
is not good coding practice. This falls under the latter and for the
record, yes, I have been through thousands of lines of code (both my own and
written by others). Error handling is essential to writing solid code.
Part of handling errors is input validation. Validation of input is
considered basic coding practice in every programming class at every college
in the country. Unless you write perfect code all the time, you should be
putting in error handling of all kinds (not just input validation).
Validating input is especially important when the data in question is
supposed to be or can be human edited. As you have pointed out, humans have
their failings and, as others on this list have pointed out, humans are
often malicious.

  The RFC's for HTTP define how the data should be formatted in order to be
a valid URL. The RFC's for TCP/IP define how the data should be formatted
to be a valid packet. We know what email addresses should look like. In
many cases, we have standards that tell us what the data should look like.
Not making the effort to validate the data before accepting and attempting
to process it is really rather inexcusable, under those circumstances. It
usually takes very little effort and it more than worth the end result.
Software should at least offer the customer the option to validate if
performance is going to be an issue.

  </FLAME>

  It's just my personal opinion. I don't agree with the profanity but I do
agree with the general concept. It really is just good coding practice. In
a commercial product like IIS, it's really sad that it has to be a third
party that patches something that is this basic.

  Jimi

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]