Results 1 to 11 of 11

Thread: Error -2147467259 (0x80004005) with dots in query string

  1. #1

    Thread Starter
    New Member
    Join Date
    Oct 2021
    Posts
    6

    Question Error -2147467259 (0x80004005) with dots in query string

    I have some VBScript that passes directory names via a querystring in the browser. This works great except if the folder has dots in the name. Specifically, this folder has three dots in the middle of the folder name. I imagine IIS or ASP has some protections against directory traversal attacks which are preventing me from passing this folder in the URL. I tried HTML encoding the dots but the result is the same, error -2147467259 (0x80004005). Besides renaming the directory in question, anyone know how best to handle this situation? Thanks!

  2. #2
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,112

    Re: Error -2147467259 (0x80004005) with dots in query string

    I don't see how "period" characters are not allowed - they do not seem to have a valid "escape" syntax.

    Show some code please.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  3. #3

    Thread Starter
    New Member
    Join Date
    Oct 2021
    Posts
    6

    Re: Error -2147467259 (0x80004005) with dots in query string

    Well, the directory being passed has three dots in the name so I think ASP or IIS is stopping it because it suspects a directory traversal attack. With ".." meaning previous directory after all. I assume it just does the same for "..." as well.

    Code is pretty generic.
    Just doing a GetFolder on a Server.mappath with the path being supplied via a query string:
    Code:
    strListDirPath = Request.QueryString("listdir")
    Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
    Set objFolder = objFSO.GetFolder(Server.MapPath(strListDirPath))
    There error occurs on GetFolder.

    The folder name is "Example...Example123"

  4. #4
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,112

    Re: Error -2147467259 (0x80004005) with dots in query string

    Does "mappath" actually need an existing folder to work, or can you just pass "Example" and then when you get the result back do a REPLACE on "Example" to make it "Example...Example123"?

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  5. #5

    Thread Starter
    New Member
    Join Date
    Oct 2021
    Posts
    6

    Re: Error -2147467259 (0x80004005) with dots in query string

    I don't understand.
    Can you show an example?
    This is from a directory listings program so I'm not sure how I would accomplish that.

  6. #6
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,112

    Re: Error -2147467259 (0x80004005) with dots in query string

    Something like this maybe?

    Code:
    dim strCleanPath as String = strListDirPath.Replace(".","_")
    dim strCleanMap as String = Server.MapPath(strCleanPath)
    strListDirPath = strCleanMap.Replace("_",".")
    Set objFolder = objFSO.GetFolder(strListDirPath)
    I replaced the . character with an _ (underscore) character. You could replace it with anything as long as it's valid and not already in the path.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  7. #7

    Thread Starter
    New Member
    Join Date
    Oct 2021
    Posts
    6

    Re: Error -2147467259 (0x80004005) with dots in query string

    Ah I see, thank you for the insight.
    Your sytax is a little off.
    You have to use the replace function like this:
    Code:
    Replace(strListDirPath, ".","_")
    However, it doesn't work as it breaks virtual paths and that's where all these files are stored behind.
    When I try your suggestions, it tries to use an absolute path that doesn't exist because there is a virtual binding for that path in IIS.

  8. #8
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,112

    Re: Error -2147467259 (0x80004005) with dots in query string

    I was giving you .Net syntax - sorry. I spend most of my time in JavaScript lately, so lucky get any identifiable syntax out, lol!

    So you are saying that the REPLACE turns the folders into ones that DO NOT EXIST, thus breaking things.

    Not that the REPLACE broke other parts of the folder string making the folder syntax invalid?

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  9. #9

    Thread Starter
    New Member
    Join Date
    Oct 2021
    Posts
    6

    Re: Error -2147467259 (0x80004005) with dots in query string

    No problem.
    I appreciate the direction. It's easy enough to read your code and figure out what you're doing.

    Correct, it turned my virtual directories (/Folder/Folder2/File.txt) into absolute ones (X:\IIS\Website\Folder\Folder2\File.txt).
    Although, I don't understand why at the moment.

    For now, I found the setting that stops ".." in the server.mappath function: https://docs.microsoft.com/en-us/iis...led-by-default
    So I have set that to true on the website and it's working for now.
    Not ideal but it works I suppose.

  10. #10
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,112

    Re: Error -2147467259 (0x80004005) with dots in query string

    Quote Originally Posted by DJX995 View Post
    Correct, it turned my virtual directories (/Folder/Folder2/File.txt) into absolute ones (X:\IIS\Website\Folder\Folder2\File.txt).
    Although, I don't understand why at the moment.
    MapPath does just that though - doesn't it? It turns a virtual folder into a mapped path on the actual server so you can then access files.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  11. #11

    Thread Starter
    New Member
    Join Date
    Oct 2021
    Posts
    6

    Re: Error -2147467259 (0x80004005) with dots in query string

    Yeah, I'm trying to remember.
    I haven't touched this code in years so I'm trying to figure out how I did this.
    Here's what M$ has to say about that:
    The MapPath method maps the specified relative or virtual path to the corresponding physical directory on the server.
    Path: Specifies the relative or virtual path to map to a physical directory. If Path starts with either a forward (/) or backward slash (\), the MapPath method returns a path as if Path were a full, virtual path. If Path doesn't start with a slash, the MapPath method returns a path relative to the directory of the .asp file being processed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width