Solved

Special Characters in Form Fields blocked by SecureIIS

Posted on 2008-06-16
3
235 Views
Last Modified: 2008-06-16
Our server uses SecureIIS for security, and it has a function where it screens all POST variables from forms for special characters.  I have several content management forms on my site that need to be able to accept en-dash and em-dash characters but SecureIIS kicks out an error whenever it receives one of these because it thinks it's malicious.  Does anyone know if there is a configuration setting in SecureIIS anywhere where I can specify "safe" characters?
0
Comment
Question by:lghaman123
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
Rurne earned 500 total points
ID: 21796851
It sounds like SecureIIS is accepting only ASCII encoding.  Under the Shellcode option, you will see high-bit shellcode protection.  Anything outside of "standard" ASCII is considered high-bit (greater than €), so basically SecureIIS gives Unicode the hatchet job.  Em dash (—) and en dash (–) are covered under UTF-8, but not under ASCII.  SecureIIS readily acknowledges that this messes up multilingual sites, but this will also affect any file uploads/binary data submitted through a form.  You should disable all High Bit Shellcode options to restore functionality.
0
 

Author Comment

by:lghaman123
ID: 21797030
Thanks for your prompt response.  Not sure if my IT guys will let me do that but we'll see.

Thanks!
0
 
LVL 9

Expert Comment

by:Rurne
ID: 21797077
It's really pretty obnoxious.  It would be great if eEye would allow you to specify a particular character set and would provide proper escaping for, say, UTF-8.  However, there are several known exploits for Unicode, which is why Unicode gets blocked by default in SecureIIS.  Unfortunately, it's an either/or situation; if you want em and en dashes, you may be opening yourself to potential exploits.

HTH
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now