Deerfield.com > Support > VisNetic WebSite > Release Notes

WebSite Release Notes

Release notes:
Version 3.5 build 19

Sept 16, 2003
--------------------------------
Web Server
--------------------------------
  • ISAPI "Path info" switching now automatic for both the value
    provided by the server variables and the values passed through the ISAPI extension control block. Detects if "associated" documents being used (e.g. ColdFusion, Perl, ASP) and if there is no real Path Info on the URL, and if both are true, it copies script path into path info, per the 1997 Microsoft botch.

  • Several subtle problems in the custom error page handling have been corrected. The external manifestations are (1) #401.xxx works correctly now, and (2) the correct HTTP status code is sent when the response is a custom error document. For example, if the response is from #404.html, the HTTP response error code is 404 Not found (as it -should- be!), not 200 OK.

  • Custom error documents are no longer checked for access control. This is a relaxation of security, but needed for reliable operation of custom error documents.

Version 3.5 build 18

July 10, 2003
--------------------------------
Web Server
--------------------------------
* Fixed error message that would reveal the absolute path of the web folder on the target host's file system.

Version 3.5 build 17
February 20, 2003

--------------------------------
Web Server
--------------------------------
* Fixed CGI to suppress spurious empty command line argument when launching EXE type CGI programs.

Version 3.5 build 16
January 28, 2003

--------------------------------
Web Server
--------------------------------
  • Fixed password access failure where different levels in the URL path had different username/password access.

  • All time-limited popup messages (e.g. "secure mode disabled") have been removed.

  • Referrer information has been removed from all standard error messages. This eliminates some cross-scripting vulnerabilities.

  • The server root field on the property sheet General tab is now read only. This field was a point of confusion for new users, and is rarely changed only by the most advanced users.

  • The concept of URL prefix has been replaced by "path prefixing" and the path prefix is now generated by the New Domain Wizard to be equal to the full new domain name. This makes the mapping setup much more intuitive, and eliminates confusion among new users.

  • The ISAPI interface has been enhanced to pass any URL parameters (delimited by a semicolon, not the same as a query string) in the ECB path_info field. URL parameters are long since deprecated, however the Jakarta Tomcat system uses them as an alternative to cookies to get around people disabling cookies on their browser.

  • The online help has been updated to reflect the changes to the new domain creation process.


------------------------------

Version 3.5 build 15
December 11, 2002

--------------------------------
Web Server
--------------------------------
  • Fixed: cross-site scripting vulnerability in 404, 400, and 500 error messages, displaying referrer field contents.
    Thanks to Ory Segal at Sanctum inc. http://www.sanctuminc.com for finding this security issue in VisNetic WebSite.

  • ISAPI changed to pass SCRIPT_NAME and corresponding file location in extension control block fields for path_info and path_translated.

  • Network buffers increased in size for performance increases under certain conditions.

  • Fixed a rare problem in CGI and API with returned status not being cleared after recycling a connection using Keep-Alive.

  • Fixed server crash on long URL when specifying an unsupported HTTP method. This was an uninitialized pointer in error logging for "Not Supported" errors.

  • Added option feature in WSAPI, now at version 1.4 - extended TCTX to include flags for "raw GET" and "don't replace on PUT". These are meant for preprocessor use. Contact Deerfield for an updated wsapi.h. We recommend waiting on using these features till WebSite V4.

    ------------------------------

    Version 3.5 build 13.1
    November 1, 2002

    ---------
    Installer
    ---------


    • Fixed program group icon display on WinXP. Forced WinXP to use a 16x16 icon file for Server Properties and Start Server .lnk files.
    • Fixed upgrade changing .css file association. Install was setting .css to text/xml when it should of been set to text/css.
    ------------------------------

    Version 3.5 build 13
    October 18, 2002

    ---------
    Installer
    ---------
    • Added TopStyle and VisNetic WebSite Publishing Tool download support for new installs.
    ---------
    Web Server
    ---------
    • Fixed service tray auto-start bug. WebSite was not enabling the auto-start feature when selected in service tray run mode.
    • Fixed DOS attack

    VisNetic WebSite incorrectly maintained HTTP/1.1 "keep-alive" feature in the presence of an incoming illegal request. In the repro scenario, a long URL is used along with POSTed content. The long URL is not the problem. It is correctly detected and rejected by WebSite, which issues a 400 Bad Request error. However, the connection was incorrectly kept alive, resulting in the pipelined POST content from the unfinished/failed request being read as part of the next request's command keyword.

    Version 3.5 build 10
    August 20, 2002

    ---------
    Installer
    ---------
    • Added D2G detection
    • New registration system
    ---------
    Web Server
    ---------
    • Updated Trusted Roots
    • Custom 404 error pages
    • D2G detection in Domain Wizard
    • Complete CFMX Support using the CFMX Connector installer
    • New domain wizard will all domain creation without IP address
    • One button back-up and restore
    • Documentation updates
    • Suppressed pop up box when shutting down VWS as a service
    • Increased max connections to 4096
    • Fixed: broken link on default page
    • Fixed: URL trailing with quote produced malformed error message
    • Fixed: dot at the end of a URL would cause IP-Bound domain to be selected
    • Fixed: arrow key movement reversed on shutdown warning box
    • Fixed: abort.log file is saved in WebSite root instead of system32 directory
    • Fixed: default log format set to W3C
    • Fixed: added service description
    • Fixed: WebSite's property sheet can no longer be accessed from the icon, when running as service. This caused security, as well as usability problem, within the property sheet. WebSite Properties can only be accessed from the WebSite program group
    • Removed Win95 support


    Release notes for WebSite 3.1 SP1 (May 16, 2002):

    Thanks to Ory Segal at Sanctum inc. http://www.sanctuminc.com for finding a source code disclosure in WebSite Pro. This service pack corrects the security issue where it was possible to view the source code of active documents (e.g. ASP or Cold Fusion).

    Release notes for WebSite 3.1 (November 13, 2001):


    Fixes for WebSite 3.1
    • CGI programs now run in NT user context without kernel32 init failure.
    • Fixed handling of 9x service modes. Control buttons were dimmed.
    • Win95 warning message now has (i) icon instead of (?).
    • Domain (Identity) tab: deleting domains (identity) with given URL prefix no longer deletes.
    • Fixed NT/9x detection was causing exception at startup.
    • Tray icon now says WebSite Idle after auto-start of NT service.
    • Identities with prefixes, which begin with the first prefix.
    • Authentication bug where anonymous account was unhooked after the first.
    • Request/response of a kept-alive connection.
    • Spurious / removed from certain ISAPI paths (relatively obscure bug).
    • W3C/WebTrends log format now works with WebTrends.


    New Features & User Requests
    • Base identity logged and passed to CGI/API when doing www aliasing.
    • Help File branding change to Properties Overview.
    • Terisa and RSA branding added to Server Properties "About" box.
    • New Domain Wizard. Changes from identity and hostname to domain.
    • Add new server support functions to ISAPI for PHP4/ISAPI.
    • Installer pre-configures for VBScript/JScript CGI programs using WSH.
    • Full context and control menus when running as a service icon/tray.
    • New "start automatically" checkbox for NT service modes.
    • Installer now defaults to service/tray/autostart on NT/2000/XP.
    • Installer pre-configures with event sounds, sound files included.
    • 3 new WSAPI functions added.
    • DELETE method can now delete directory trees with non-empty directories.
    • New Identity Wizard now writes its report to WebSite\Admin directory.
    • Host name length increased in New Identity Wizard.
    • Property Sheet online help re-written from scratch, much more complete.
    • SDK documentation updated, merged with main help file.
    • WebSite administration scripting reference merged with main help file.
    • EIT registry tree eliminated, crypto items moved under the WebServer key.
    • ASP tab on property sheet appears only if ASP 1.0 engine is installed.
    • New "API Internals" tracing option, for use by WSAPI/ISAPI DLLs.
    • Host name and URL path added to ISAPI generated log entries.
    • Double-dot protection: URLs will be refused if they contain '..' (Nimda).
    • Tray and system menus are available for service/icon and service/tray.
    • Additional tracing detail for CGI process creation (from NT context fix).

Select a Product:

Online Support
Site Search:

Advanced

Copyright © 2010 Deerfield.com, All Rights Reserved

>