1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Major bug in urlprotect.dll found(?), please read

Discussion in 'Plesk for Windows - 8.x and Older' started by jerry2, Jul 24, 2008.

  1. jerry2

    jerry2 Guest

    0
     
    Hi there, I hope I got your attention ;-)

    I think I may of found a major bug in this module of plesk, named URLprotect.dll...

    What happens if if I enter in any of my plesk servers URL (language, database name etc. doesn't matter), something like:

    http://www.test.com/article.php?ID=10%

    instead of

    http://www.test.com/article.php?ID=10

    Application pool fails 5 times in a row and I get service unavailable because application pool crashes.

    The problem seems to be character %. Put it in the end of the URL and the service will crash. First I thought it is a PHP or ASP or database error but happens on all my servers no matter how the application is handled, which database or server language is used, passive or active statements. As I tried out, the page never gets even executed (I wrote <% response.end() %> in ASP as my first line. So I thought this must be something big going on on my server.

    After 2 days I found that the problem is urlprotect.dll. This module seems to be ISAPI filter that handles URL's for protected pages, if you remove it the protection from the protected pages is GONE :-( But after I remove it, the aplication pool crash if there is % in the dynamic URL is also gone. Also my debugger shows that the urlprotect.dll is the module that initially failed before taking down whole W3SVC and application pool...

    I don't claim to be very smart, but if this is true and somebody from you can verify (my config is Windows 2003 sp1, Plesk latest 8.4.0.1 I think... Other things seems to not matter), anybody can kill your server with a blink of the eye (or better a % in your querystring) :-(((

    It seems most unrealy such a huge bug would be in the filter... but all my web pages and all the servers that have plesk are affected from any technology I use. I have one server that is without Plesk and this problem is not there.

    I don't use any other ISAPI filter on 2 servers I use some URL rewriter on 1 server, but seems this filter isn't the problem as it is only on 1 server and removing it does nothing.

    All the paths on my research point to urlprotect.dll. Now please can someone verify that? I can not believe it is true but I also can not believe it is not true.

    The only thing is that something else that I have on all the servers is causing this, but what? urlprotect.dll is a realtime URL filter just as the error presents itself...

    Yours

    Jerry

    UPDATE: It seems any querystring that has % not followed by 2 other characters (%21 is OK as this is character !) like % or %8 or 9945%9 crashes application pool several times.
     
  2. wsani

    wsani Silver Pleskian

    28
    40%
    Joined:
    Mar 4, 2005
    Messages:
    509
    Likes Received:
    0
    Is there a reason why you have % in the querystring anyways?
     
  3. jerry2

    jerry2 Guest

    0
     
    No, of course not. But anybody can enter % in my URL (on purpose like hacker bots or hackers) or by accident (changing ID number and pressing %).

    I mean, you can kill my application pool forever in a press of a button (not even hack). I think this is a major disaster.
     
  4. jerry2

    jerry2 Guest

    0
     
    Nobody can check this thing?
     
  5. jerry2

    jerry2 Guest

    0
     
    84 views and nobody care to test? Maybe I go off killing application pool on the web :-(

    Anyway, I have installed a competetive URL protection program (unfortunately not free) and uninstalled urlprotect.dll from all my websited. No problems since.
     
  6. axiomgreece

    axiomgreece Guest

    0
     
    Dear friend,
    I have test the problem that you describe and you have absolutely right. Unfortunately there is no solution or any other info from plesk's company. It's the second time for us that we have problem with plesk and there is no comment from Plesk. I think that this forum is here only to cover parrallels problems using user's experience. Parrallels support in major problems that hapends because of this software is NOWHERE.
     
  7. jerry2

    jerry2 Guest

    0
     
    This is really outrageous. With this bug anyone can kill your web service! This is simply too much!
     
  8. wsani

    wsani Silver Pleskian

    28
    40%
    Joined:
    Mar 4, 2005
    Messages:
    509
    Likes Received:
    0
    You can kick and scream all you want in this forum but they will not do anything about it. Have you submitted a support ticket about this? The more, the merrier.
     
  9. axiomgreece

    axiomgreece Guest

    0
     
    I have send an e-mail since Friday to the bugsreport but nothing happend at all.
     
  10. jerry2

    jerry2 Guest

    0
     
    I couldn't send the tech support question since the severity level is allways ghosted :-(((
     
  11. jerry2

    jerry2 Guest

    0
     
    The level of ignorance for this bug is unbelievable. Swsoft does't seem to care and users don't realise anybody can kill their server at any time. Unbelievale!
     
  12. axiomgreece

    axiomgreece Guest

    0
     
    I vae see that in IIS Plesk has 2 application pools. The one of two crashes and not the second. Is that means something ? Also I have see in http error \wondows\system32\logfiles\httperr\xxxx.log that every time that google bot tries to read for a specific site using a url that has % character in url application pool has errors and after some tries crashes because they count the necessery number of errors and give a service unavailiable error.
    I have not any answer yet from Plesk support...and we have the problem since 30 July.
     
  13. jerry2

    jerry2 Guest

    0
     
    The application pool that crashes is the one that your domain that is "killed" is in. If every domain has it's own pool only the one that you kill is killed. 2 pools you have because you must have some sites running on different pool, that is normal.

    Yes, if you higher the 5 errors needed to crash the pool one % will not kill it. I have highered the level to 50 so one must deliberately kill me if pool is to be stopped. By error one % can not kill me any more. That said, it still produces the 5 application pool errors I've mentioned.
     
  14. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
  15. wsani

    wsani Silver Pleskian

    28
    40%
    Joined:
    Mar 4, 2005
    Messages:
    509
    Likes Received:
    0
    8.6.0.1: Crashing of IIS application pool of a domain when trying to browse a protected directory containing the % sign bug is fixed
     
Loading...