Microsoft URLScan and POST problem

I recently encountered a problem on a clients Windows 2000 server SP4, who had a php site installed on IIS 5.0. But it was showing a strange behavior. Pages pushing data via POST were not getting processed, rather it was throwing a 404 error. Obviously it was because the allowed verbs in IIS were limited to GET and HEAD only. So the simple solution was changing the allowed verbs to include POST in the IIS administration panel. But as always happens, it was easier said than done. The problem was that IIS wouldn’t start; splashing an ugly ‘unable to connect to the machine‘ error. Microsoft knowledge base suggested some changes to the registry; but I could not mess with that solution, as the site was live.

After digging around for a couple of minutes more I found that the particular IIS was protected by the IIS Lockdown tool. I did not want to uninstall the tool, which would mean losing the security setting. I found that the tool also used the URLScan security tool, which restricts the types of HTTP requests that Internet Information Services (IIS) will process. To my relief it uses a .ini file for configuration, so it was just a matter of editing the config file and voila! the POST problem was resolved.

The URLScan.ini file is located at : %windir%\System32\Inetsrv\Urlscan. And all you have to do is add the POST verb in the allowed verbs section.

[AllowVerbs]
 
;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
 
GET
HEAD
POST
iis

One thought on “Microsoft URLScan and POST problem

  1. “I recently encountered a problem on a clients Windows NT server, who had a php site installed on IIS 5.0.”

    Is your client living in the 90’s… ? NT+IIS5??? I really hope that box isn’t externally available. :/

Comments are closed.