IE - Certain querystring Hangs Page

Question

I have a site that has worked fine for a while. Recently, any form passed as a querystring ('GET') that has the words "SELECT", "FROM", and "WHERE" in it causes the page to hang and, eventually, give a "Page not found..." error. It looks like this only happens with IE, not Firefox, but has been confirmed using several clients. Also, it only happens on one server...if I copy the same test script to another server, no problem. The words do not have to be passed from a form, they can also just be appened as a querystring.

So, for example,

http://www.problemserver.com/qsfails.asp?q=select+from+where

fails on the server that exhibits the problem. In fact, if I replace 'qsfails.asp' with a page name that does not exist, the page loading still hangs and waits until it times out, whereas trying to load a page that does not exist but without the querystring gets an immediate "Page not found..." error.

Is the server compromised? The hosting company claims it is not. Has anyone ever encountered this? Thoughts or suggestions?

Thanks!

Answer 1

I recon your web host is running a generic filter to prevent SQL injection attacks, like UrlScan. There are several such tools for both IIS and Apache. This will prevent the request from ever being seen or processed by your website.

Strange that they wouldn't mention something like that after your question though. Check with them.

Answer 2

Turns out Thorarin was correct.

I had asked about security filtering but was told no. I asked again and was still told "no", the hosting company thought it was a routing issue (which made no sense to me but what do I know).

However, they must have kicked it up the line because they had installed a filter which was the problem. Not only did customers not know, even their first couple levels of tech support did not know. Oops.

Thanks to Thorarin.