Version: IIS 7.0 & 7.5
Module or component: IPv4 Address and Domain Restriction Module
Platform / Operating System: Windows Server 2008 & 2008 R2
Type of error: Bug / Interpretation Error
Difficulty to reproduce: Easy, tested on multiple systems.
Summary:
- Entering a number from 0 to 32 in the netmask field will result in allowing all traffic even when default policy is set to Deny.
- Entering any invalid netmask will result in allowing all traffic even when default policy is set to Deny.
Steps to reproduce:
1) Chose “Deny” as the default for “Access for unspecified clients” under “Edit Feature Settings”
2) Add Allow Entry -> Chose IPv4 address range (instead of a specific address) -> Enter “10.0.0.0″ (or any appropriate address in your test) and then a number from 0 to 32 in the netmask field. In our example enter 8. Click OK.
3) Under 7.0, the result will show as 10.0.0.0(0.0.0.8) and under 7.5, the result will show as 10.0.0.0(8). The former is an invalid netmask. The latter could be interpreted as /8 and thus be valid. However, 7.0 nor 7.5 actually work in the expected way. Your server will now accept any request for the supposedly denied resource.
Work around: Use the full and valid netmask (255.0.0.0 to 255.255.255.255) and the restriction module will work correctly.
Severity: Severe – Due to the nature of the bug, restricting access to a specific resource can fail and a wrong entry can even invalidate other correct deny/allow rules.