IIS Allowing random strings after filename

Question

I host several websites on IIS and recently found that on one website I have users adding additional characters at the end of a valid URI and IIS returns the file. I would have expected an error. The requests appear to be a cache busting technique, just trying to understand how adding extra characters doesn't result in an error. An example is a request for myfile.t19.htm/58sbcaiqtsbj8p7n8tkl still successfully returns myfile.t19.htm. They do this on several different files and file types so I'm still working on filters to stop it, but still want to understand how it happens in the first place.

Answer 1

For the URL http://www.contoso.com/virdir/page.html/tail, the PathInfo value is /tail.

Pathinfo is not specific to a certain framework. Pathinfo is strictly a predefined variable provided by the HTTP server. In many frameworks, there is an important component called router, which can be implemented by using pathinfo.

IIS Server Variables: PATH_INFO

Path information, as given by the client, for example, /vdir/myisapi.dll/zip. If this information comes from a URL, it is decoded by the server before it is passed to the CGI script or ISAPI filter. If the AllowPathInfoForScriptMappings metabase property is set to true (to support exclusive CGI functionality), PATH_INFO will only contain /zip and ISAPI applications such as ASP will break.

The AllowPathInfoForScriptMappings property indicates whether the PATH_INFO IIS Server Variables will contain full path information ("/vdir/myisapi.dll/zip") or partial path information ("/zip").

This property is false (full path) by default on the IIS server because ISAPI applications use the PATH_TRANSLATED IIS Server Variables to locate the file being requested. PATH_TRANSLATED is derived from PATH_INFO.

This property can be set to true if your site or server contains only CGI content. ISAPI applications such as ASP will not work when this property is set to true because AllowPathInfoForScriptMappings affects all handlers for the node at which it is configured, not just CGI.

Answer 2

Thanks. I don't consider it a great solution, but it's working so far. I added a URLRewrite rule like this:

<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAny">
                        <add input="{REQUEST_URI}" pattern="*.htm/*" />
                        <add input="{REQUEST_URI}" pattern="*.stm/*" />
                    </conditions>
                    <action type="CustomResponse" statusCode="400" statusReason="Invalid Request" statusDescription="You have made an invalid request." />
                </rule>```