Microsoft KB Archive/839565

= The UrlScan security tool redirects HTTP POST requests to the &quot;Page cannot be displayed&quot; page when the content length exceeds the MaxAllowedContentLength value in IIS =

Article ID: 839565

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx





SYMPTOMS
If the content length in an HTTP POST request exceeds the value of the MaxAllowedContentLength parameter that is specified in the Urlscan.ini file, the UrlScan security tool redirects the request to the Page cannot be displayed error page instead of to the page that is specified in the value of the RejectResponseURL parameter.



WORKAROUND
To avoid this behavior, comment the MaxAllowedContentLength parameter in the Urlscan.ini file, and then manually redirect the request to the page that you want when Request.TotalBytes exceeds the value of the MaxAllowedContentLength parameter.

For example, after you comment the MaxAllowedContentLength parameter in the Urlscan.ini file, modify the code as in the following sample code: <% 'Check the length of content that is posted. IF Request.TotalBytes<3000000 THEN '      '//Put your code here. ' ELSE '   '//Put the code to redirect the request to the page that you want here. ' END IF %>



STATUS
This behavior is by design.



MORE INFORMATION
UrlScan version 2.5 is a security tool that restricts the types of HTTP requests that Microsoft Internet Information Services (IIS) will process. The UrlScan security tool helps prevent potentially damaging requests from reaching the server by blocking specific HTTP requests. The UrlScan security tool installs as a clean installation on servers that are running IIS 4.0 and later.

The MaxAllowedContentLength parameter specifies the maximum content length that the UrlScan security tool will permit in an HTTP POST request.

The RejectResponseUrl parameter specifies the virtual path of a file that runs when the UrlScan security tool blocks a request. You can use this parameter to customize the response that is sent to the client when the UrlScan security tool blocks a request.

Steps to reproduce the behavior
 Download and then install the UrlScan security tool. To obtain the UrlScan security tool, visit the following Microsoft Developer Network (MSDN) Web site:

 You must configure the UrlScan security tool for IIS. The Urlscan.ini file contains all configuration information for the UrlScan security tool. The Urlscan.ini file is located in the %WINDIR%\System32\Inetsrv\URLscan folder.

To configure the UrlScan security tool, open the Urlscan.ini file in a text editor such as Notepad, make the appropriate changes, and then save the file.

For additional information about how to configure the UrlScan security tool, click the following article number to view the article in the Microsoft Knowledge Base:

326444 HOW TO: Configure the UrlScan tool

Note When you configure the UrlScan security tool, set the MaxAllowedContentLength parameter and the RejectResponseUrl parameter.  Create a sample program that uses ASP to upload files to a server that is running IIS Server. For example, the following sample code uploads files by using a third-party component in ASP. In this sample code, the component is Advantys aspSmartUpload. <% Dim mySmartUpload Set mySmartUpload = Server.CreateObject(&quot;aspSmartUpload.SmartUpload&quot;) mySmartUpload.Upload mySmartUpload.Save(&quot;/aspSmartUpload/Upload&quot;) %> Note This sample code contains only the server-side code that is used to upload a file.  Use your sample program to upload a file that has a content length that exceeds the value of the MaxAllowedContentLength parameter. Verify that the UrlScan security tool redirects your request to the &quot;Page cannot be displayed&quot; error page instead of to the page that you specified in the RejectResponseUrl parameter.</li></ol>

<div class="references_section">