The UrlScan security tool redirects HTTP POST requests to the "Page cannot be displayed" page when the content length exceeds the MaxAllowedContentLength value in IIS (839565)

WORKAROUND

To avoid this behavior, comment the MaxAllowedContentLength parameter in the Urlscan.ini file, and then manually redirect the request to the page that you want when Request.TotalBytes exceeds the value of the MaxAllowedContentLength parameter.

For example, after you comment the MaxAllowedContentLength parameter in the Urlscan.ini file, modify the code as in the following sample code:

<%
'Check the length of content that is posted.
IF Request.TotalBytes<3000000 THEN	
	'	
	'//Put your code here.
	'
ELSE
	'
	'//Put the code to redirect the request to the page that you want here.
	'
END IF
%>

MORE INFORMATION

UrlScan version 2.5 is a security tool that restricts the types of HTTP requests that Microsoft Internet Information Services (IIS) will process. The UrlScan security tool helps prevent potentially damaging requests from reaching the server by blocking specific HTTP requests. The UrlScan security tool installs as a clean installation on servers that are running IIS 4.0 and later.

The MaxAllowedContentLength parameter specifies the maximum content length that the UrlScan security tool will permit in an HTTP POST request.

The RejectResponseUrl parameter specifies the virtual path of a file that runs when the UrlScan security tool blocks a request. You can use this parameter to customize the response that is sent to the client when the UrlScan security tool blocks a request.

Steps to reproduce the behavior

Download and then install the UrlScan security tool. To obtain the UrlScan security tool, visit the following Microsoft Developer Network (MSDN) Web site:
http://www.microsoft.com/technet/security/tools/urlscan.mspx
You must configure the UrlScan security tool for IIS. The Urlscan.ini file contains all configuration information for the UrlScan security tool. The Urlscan.ini file is located in the %WINDIR%\System32\Inetsrv\URLscan folder.

To configure the UrlScan security tool, open the Urlscan.ini file in a text editor such as Notepad, make the appropriate changes, and then save the file.

For additional information about how to configure the UrlScan security tool, click the following article number to view the article in the Microsoft Knowledge Base:
326444 HOW TO: Configure the UrlScan tool
Note When you configure the UrlScan security tool, set the MaxAllowedContentLength parameter and the RejectResponseUrl parameter.
Create a sample program that uses ASP to upload files to a server that is running IIS Server. For example, the following sample code uploads files by using a third-party component in ASP. In this sample code, the component is Advantys aspSmartUpload.
```
<%
Dim mySmartUpload
Set mySmartUpload = Server.CreateObject("aspSmartUpload.SmartUpload")
mySmartUpload.Upload
mySmartUpload.Save("/aspSmartUpload/Upload")
%>
```
Note This sample code contains only the server-side code that is used to upload a file.
Use your sample program to upload a file that has a content length that exceeds the value of the MaxAllowedContentLength parameter.
Verify that the UrlScan security tool redirects your request to the "Page cannot be displayed" error page instead of to the page that you specified in the RejectResponseUrl parameter.

REFERENCES

For more information about the UrlScan security tool, visit following Microsoft Development Network (MSDN) Web site:

http://www.microsoft.com/technet/security/tools/urlscan.mspx

For additional information about how to upload files by using ASP, click the following article number to view the article in the Microsoft Knowledge Base:

299692 HOW TO: Upload files to a Web server by using ASP

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.