I guess there is a danger that someone could execute commands on your server by passing smartly formatted URLs? -----Original Message----- From: Martin, Jon [mailto:[EMAIL PROTECTED] Sent: Thu 10/16/2003 8:19 PM To: Exchange Discussions Cc: Subject: OWA and URLScan-Blocked Special Characters OK, we all know that when you run Urlscan on an Exchange server that you will not be able to view certain notes in OWA, specifically those notes with special characters in the subject line. The special characters are below, along with the reason, according to MS documentation, that these should be blocked.
.. Allows directory traversals ./ Allows trailing dot on a directory name \ Allows backslashes in URL % Allows escaping after normalization & Allows multiple CGI processes to run on a single request My management wants these characters unblocked. To prevent this I need a better understanding of what potential problems are being prevented by the disabling of these characters. The above explanation in the MS documentation is probably not going to be sufficient. Does anyone have a more detailed explanation of the possible exploits being blocked by disabling these characters?? Thanks. Jon Martin _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] hاPi0"(q_jmg"{^zmٝZIb( \ez{^\zױjzV+!Nrzf%y{!jx0ya1r֝)Zvh &