Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

FlexWiki and URLScan

Saturday, January 17, 2004 Comments

 .NET  ASP.NET  Extreme Programming  Security 
Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

Last July, I mentioned I installed DevHawk Wiki as our team's Wiki engine.  About a month ago, we decided to upgrade to FlexWiki instead.  It was very easy to move our Wiki pages from one Wiki engine to another.  If you are looking for a low-friction collaboration tool for your group or organization, check out Wiki.  Our team uses it extensively to keep updated on the project (FlexWiki also provides RSS feeds of updated and new pages!).

This week, I moved our Wiki to a new machine (after updating FlexWiki to the latest version), and installed the much recommended security tools IISLockdown and URLScan on a Windows XP box.  What I found was the Wiki was no longer working!  It turned out that URLScan was prohibiting the viewing of pages that have extra “dots” in the URL. 

One of the ways Wiki works is that pages are created as text files with .wiki extensions.  If you have a CoolProject as your Namespace, for example, as a folder location of your Wiki files, and have created a new Wiki page for your name,, for example, then to see the page in FlexWiki, you would use this URL: 


Notice the “dot” in the URL.  For URLScan, you can configure the AllowDotInPath filter setting from 0 (default) to 1 in the urlscan.ini file.  This fixed the problem with viewing Wiki pages in FlexWiki.

Note:  Notice that URLScan 2.5 is the latest version.  With IIS 6.0 (only on Windows Server 2003), many of the features of IISLockdown and URLScan are now either built into IIS 6.0 or are better than what is offered by these tools.  In some cases, though, URLScan does offer some out of the box features that IIS 6.0 still doesn't offer.  See this article to determine if you should install it or not on Windows Server 2003:  For all other OSs (i.e. Windows NT, 2000, XP), you should install these security tools.

Debug Note:  One other “gotcha” with URLScan is that it watches for the key verbs coming across:  GET, POST, etc.  In order to debug ASP.NET pages, when URLScan is installed, you must add the verb DEBUG in the allowed verb list in the urlscan.ini file (as noted here).

Update:  As Darrell Norton points out on his blog, for .Net, you can download the specific urlscan.ini files for .Net Production and .Net Development servers.  These scripts are featured in the Operating .Net Applications, part of the the excellent Patterns and Practices series from Microsoft.  Thanks again, Darrell.


Share:   Share on LinkedIn    Share on Twitter    Share on Facebook