-----Original Message-----
From: Christopher Hummert [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 01, 2002 12:15 PM
To: Exchange Discussions
Subject: RE: Another reason to be careful with OWA and URLSCAN
>hmmmmm, what were the OWA guys thinking (or smoking?) when they set up
the URL's to be based on subject lines???????
True. I agree with you. I thought this was a big security hazard to
begin with. I guess it's only a matter of time till someone figures out
how to exploit it
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom.Gray
Sent: Tuesday, October 01, 2002 8:40 AM
To: Exchange Discussions
Subject: Another reason to be careful with OWA and URLSCAN
URLSCAN is a great tool. It helps secure your web server. If you use
the Outlook Web Access template when installing URLSCAN you should be
"good to go", right?
WRONG! URLSCAN wreaks havoc with OWA.
First, remember that with OWA the SUBJECT line of a mail message is the
FILE NAME. So if you are logged into OWA and want to read a message
with subject:
I want to hold your hand
Your browser sends a URL like the following
htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand.eml
URLSCAN examines that URL to make sure it isn't evil. Looks good so
far.
If the subject is:
I want to hold your hand.
The url would be
htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand..eml
Since there are two dots (..) URLSCAN Rejects it.
And if the subject is:
I want to hold your hand & foot
The URL would be
htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand%20%26%2
0foot.eml
Since there is an "&" (or hex 26) URLSCAN Rejects it.
Now how common is a period at the end of a subject in email? How common
is the perfectly RFC822 legal "&" in the subject of a message?
There are truly good reasons to reject those chars/patterns as URL's,
but they are allowed as file names. So do you a) lower the security of
your webserver by disabling those features of URLSCAN?
b) convince everyone to not end their subjects with a period or use the
& symbol?
hmmmmm, what were the OWA guys thinking (or smoking?) when they set up
the URL's to be based on subject lines???????
Tom Gray, Network Engineer
All Kinds of Minds & The Center for Development and Learning University
of North Carolina at Chapel Hill
Internet: [EMAIL PROTECTED]
AT&T Net: (919)960-8888
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
This e-mail and any files transmitted with it, are confidential to National Grid and
are intended solely for the use of the individual or entity to whom they are
addressed. If you have received this e-mail in error, please contact the National
Grid USA Help desk on 508-389-3375.
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
