Urls / lpt1和/ com1导致IIS呈现其自己的死亡屏幕

Question

When running a recent SkipFish scan - we found that IIS (7.5) returns the following if you call /lptX or /comX (where X is a number 1-9).

Server Error in '/' Application.

The resource cannot be found.

Description: HTTP 404. The resource you ...[and so on]...

This is dispite the fact that we have custom [pretty] errors at the site-level and at the web server config level.

Try it on your IIS box now if you have one - http://localhost/lpt1 should do it.

I'm guessing this is a legacy thing from 'the good ol days' of LPT printers and mice connecting via COM ports. But it is slightly unsettling to see and area of IIS that I can't config.

Is it possible to force IIS to serve a custom 404 page even for these 'special' URLs?

Answer 1

Until ASP.NET 4.0 it wasn't possible to use certain reserved filenames such as con , lpt , aux and so in on your urls:

Zombie Operating Systems and ASP.NET MVC

This was a limitation of ASP.NET, not MVC.

However the good news is that it's now possible:

Putting the Con (COM1, LPT1, NUL, etc.) Back in your URLs

If you're not using ASP.NET 4.0, you should be able to catch these 404's using IIS7's own <httpErrors> configuration settings.

Answer 2

With ASP .NET 3.5 you can use an url rewrite rule of the url rewrite module in order to change the url to a valid one.

The url rewite module is:

The Microsoft URL Rewrite Module 2.0 for IIS 7 and above enables IIS administrators to create powerful customized rules to map request URLs to friendly URLs that are easier for users to remember and easier for search engines to find

Something like:

<rewrite>
  <rules>
    <rule name="CON rewrite" stopProcessing="true">
      <match url="(.*)/(con\.)(.*)" />
      <action type="Redirect" url="{R:1}/con-{R:3}" redirectType="SeeOther" />
    </rule>     
  </rules>
</rewrite>