Hi!

I'm using Windows 2003 and IIS 6.0 to host a mobile device application. I've
migrated over from IIS 5.0.
IIS 6.0 seems to block all incoming requests from mobile devices.
My suspicion is that http.sys blocks these requests because they're without
user agent or has an illegal \r\n ending in the request. But my problem is
that I cannot control the requests generated by the mobile devices using my
app.

Does anyone know how to shut off or configure the request blocking done by
http.sys?
Or do I have to go all the way back to windows 2000?

Any ideas or suggestions are welcome!!!

PS:
I suspect that http.sys blocks the mobile device requests because they don't
have user agent in header.
The request headers sent by the mobile devices are as following:
Connection: close
Host=myweb.com:80

The Httperr.log looks like this:
2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest

[ Post a follow-up to this message ]

That host header is incorrect.

All HTTP headers should be:

header-name colon header-value

eg:

connection: close
-or-
host: www.mycompany.com

Something like:

host=www.mycompany.com

is not a valid HTTP header as far as I know.
I think that's possible a cause of your problems.

HTTP.sys does not block requests that do not have a user-agent. That's easy
to verify using telnet:

telnet>open www.mycompany.com 80
GET / HTTP/1.1 [enter]
HOST: www.mycompany.com [enter][enter]

If you enter the above, you will get IIS to respond just fine, even though
there is no user-agent header, no accept header etc.

Cheers
Ken


"Hans Olav Stjernholm" <none@no.no> wrote in message
news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl...
> Hi!
>
> I'm using Windows 2003 and IIS 6.0 to host a mobile device application.
> I've
> migrated over from IIS 5.0.
> IIS 6.0 seems to block all incoming requests from mobile devices.
> My suspicion is that http.sys blocks these requests because they're
> without
> user agent or has an illegal \r\n ending in the request. But my problem is
> that I cannot control the requests generated by the mobile devices using
> my
> app.
>
> Does anyone know how to shut off or configure the request blocking done by
> http.sys?
> Or do I have to go all the way back to windows 2000?
>
> Any ideas or suggestions are welcome!!!
>
> PS:
> I suspect that http.sys blocks the mobile device requests because they
> don't
> have user agent in header.
> The request headers sent by the mobile devices are as following:
> Connection: close
> Host=myweb.com:80
>
> The Httperr.log looks like this:
> 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET
> /get.aspx?a=&u=38 400 - BadRequest
> 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET
> /get.aspx?a=&u=38 400 - BadRequest
> 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET
> /get.aspx?a=&u=38 400 - BadRequest
> 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET
> /get.aspx?a=&u=38 400 - BadRequest
>
>

[ Post a follow-up to this message ]

For proper security, servers should only accept proper HTTP requests.
Applications that cannot send proper HTTP requests are broken and should be
fixed.

There is no way to shut off nor configure request blocking done by HTTP.SYS.
It is an important part of overall server security.

The only resolutions I see are:
1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 over
IIS5)
2. Open a PSS support case on the behavior and justify a change in HTTP.SYS

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Hans Olav Stjernholm" <none@no.no> wrote in message
news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl...
Hi!

I'm using Windows 2003 and IIS 6.0 to host a mobile device application. I've
migrated over from IIS 5.0.
IIS 6.0 seems to block all incoming requests from mobile devices.
My suspicion is that http.sys blocks these requests because they're without
user agent or has an illegal \r\n ending in the request. But my problem is
that I cannot control the requests generated by the mobile devices using my
app.

Does anyone know how to shut off or configure the request blocking done by
http.sys?
Or do I have to go all the way back to windows 2000?

Any ideas or suggestions are welcome!!!

PS:
I suspect that http.sys blocks the mobile device requests because they don't
have user agent in header.
The request headers sent by the mobile devices are as following:
Connection: close
Host=myweb.com:80

The Httperr.log looks like this:
2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest

[ Post a follow-up to this message ]

Still no solution for this Problem?
(

- Devices in the market cannot be changed.
- Not possible to get request before http.sys (kernal mode).

To strictly conform http spec is very good. But it should be possible to int
ercept requests!



quote:
Originally posted by David Wang [Msft] 
For proper security, servers should only accept proper HTTP requests.
Applications that cannot send proper HTTP requests are broken and should be
fixed.

There is no way to shut off nor configure request blocking done by HTTP.SYS.
It is an important part of overall server security.

The only resolutions I see are:
1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 over
IIS5)
2. Open a PSS support case on the behavior and justify a change in HTTP.SYS

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Hans Olav Stjernholm" <none@no.no> wrote in message
news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl...
Hi!

I'm using Windows 2003 and IIS 6.0 to host a mobile device application. I've
migrated over from IIS 5.0.
IIS 6.0 seems to block all incoming requests from mobile devices.
My suspicion is that http.sys blocks these requests because they're without
user agent or has an illegal \r\n ending in the request. But my problem is
that I cannot control the requests generated by the mobile devices using my
app.

Does anyone know how to shut off or configure the request blocking done by
http.sys?
Or do I have to go all the way back to windows 2000?

Any ideas or suggestions are welcome!!!

PS:
I suspect that http.sys blocks the mobile device requests because they don't
have user agent in header.
The request headers sent by the mobile devices are as following:
Connection: close
Host=myweb.com:80

The Httperr.log looks like this:
2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest
2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET
/get.aspx?a=&u=38 400 - BadRequest 

[ Post a follow-up to this message ]

surely you can put a filter before http.sys.  isn't that the basis of how
urlscan and other isapi filters work?  if nothing else send iis to a
different port and write your own proxy to listen on port 80 and fix up
requests before forwarding them on to iis.

"bertelmonster" <bertelmonster.1nmv52@mail.webservertalk.com> wrote in
message news:bertelmonster.1nmv52@mail.webservertalk.com...
>
> Still no solution for this Problem?
> (
>
> - Devices in the market cannot be changed.
> - Not possible to get request before http.sys (kernal mode).
>
> To strictly conform http spec is very good. But it should be possible
> to intercept requests!
>
>
>
> David Wang [Msft] wrote: 
>
>
>
> --
> bertelmonster
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message349594.html
>

[ Post a follow-up to this message ]

Hi Dave and bertelmonster,

First off, a user-agent header is not required in any version of HTTP, so
http.sys will not reject a request based on that.

In looking at the header data below, I see a properly formed connection
header, but the line "Host=myweb.com:80" will cause http.sys to fail to find
a host header.  Since a host header is required for HTTP/1.1, this could
cause a 400 response.  The correct value of the header should be "Host:
myweb.com:80".

Also, assuming that this header is just a typo, there could be something
outside of just headers that's making the request invalid.  It would be
necessary to see a capture of the actual raw request in its entirely to say
for sure what's wrong.

Finally regarding filters, in Worker Process Isolation Mode, David is
correct that you cannot intercept the request.  UrlScan and other filters
work by looking at the request after it's been parsed by http.sys.  In IIS 5
Isolation Mode, though, you can write a read raw data filter that sees the
raw data stream before http.sys parses it.  It would be possible to put IIS
into this mode an use such a filter to fix the data stream.  This would
probably not be an ideal solution, as you would give up the benefits of the
new IIS 6 process model.  If it's true that the device is really sending a
malformed host header, then that would be a very serious defect in the
device and you should definitely contact the vendor.

Thank you,
-Wade A. Hilmo,
-Microsoft

"Dave" <noone@nowhere.com> wrote in message
news:O6eL3V1QFHA.1476@TK2MSFTNGP09.phx.gbl...
> surely you can put a filter before http.sys.  isn't that the basis of how
> urlscan and other isapi filters work?  if nothing else send iis to a
> different port and write your own proxy to listen on port 80 and fix up
> requests before forwarding them on to iis.
>
> "bertelmonster" <bertelmonster.1nmv52@mail.webservertalk.com> wrote in
> message news:bertelmonster.1nmv52@mail.webservertalk.com... 
>
>

[ Post a follow-up to this message ]

ISAPI filters in IIS 6.0 do not load "before" http.sys. The process
incoming requests AFTER http.sys routes the incoming request to that
website.

In IIS 5.0 (Win2k) there was no http.sys so the incoming requests went
directly to IIS. IIS loaded all ISAPI filters in inetinfo.exe so all
incoming requests would be parsed by all installed ISAPI filters. Filters
like URLScan could parse the incoming request before it was consumed by IIS
allowing improper requests to be rejected.

In IIS 6.0 http.sys was introduced and it acts like a filter itself in a
way, checking incoming requests for validity. If the validity check fails
then the request is rejected and logged in \logfiles\httperr. IIS doesn't
know about these incoming requests. If the request is allowed by http.sys
then the request is passed on to the IIS process the request was indended
for (w3wp.exe).

Furthermore ISAPI filters in IIS 6.0 are loaded into the specific process
(w3wp.exe) they are intended for so that not every request for every
website has to go thru all the ISAPI filters, just the ones intended for
use with that particular website.


Hans - there is no way to shut down http.sys in IIS 6.0. If you app is not
creating proper formed requests then http.sys will reject it.

Hope this helps!

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks!
~Andrew Davis
Microsoft PSS Security

--------------------
>From: "Dave" <noone@nowhere.com>
>References: <egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl>
<uD1Pnv#hEHA.2624@TK2MSFTNGP12.phx.gbl>
<bertelmonster.1nmv52@mail.webservertalk.com>
>Subject: Re: Does Http.sys block all mobile device requests?
>Date: Sun, 17 Apr 2005 13:57:48 -0000
>Lines: 95
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Message-ID: <O6eL3V1QFHA.1476@TK2MSFTNGP09.phx.gbl>
>Newsgroups: microsoft.public.inetserver.iis.security
>NNTP-Posting-Host: k1ttt.net 140.186.101.248
>Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP0
9.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.inetserver.iis.security:17295
>X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
>surely you can put a filter before http.sys.  isn't that the basis of how
>urlscan and other isapi filters work?  if nothing else send iis to a
>different port and write your own proxy to listen on port 80 and fix up
>requests before forwarding them on to iis.
>
>"bertelmonster" <bertelmonster.1nmv52@mail.webservertalk.com> wrote in
>message news:bertelmonster.1nmv52@mail.webservertalk.com... 
>
>
>

[ Post a follow-up to this message ]