URLSCAN is a great tool. It helps secure your web server. If you use the Outlook Web
Access template when installing URLSCAN you should be "good to go", right?
WRONG! URLSCAN wreaks havoc with OWA.
First, remember that with OWA the SUBJECT line of a mail message is the FILE NAME. So
if you are logged into OWA and want to read a message with subject:
I want to hold your hand
Your browser sends a URL like the following
htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand.eml
URLSCAN examines that URL to make sure it isn't evil. Looks good so far.
If the subject is:
I want to hold your hand.
The url would be
htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand..eml
Since there are two dots (..) URLSCAN Rejects it.
And if the subject is:
I want to hold your hand & foot
The URL would be
htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand%20%26%20foot.eml
Since there is an "&" (or hex 26) URLSCAN Rejects it.
Now how common is a period at the end of a subject in email? How common is the
perfectly RFC822 legal "&" in the subject of a message?
There are truly good reasons to reject those chars/patterns as URL's, but they are
allowed as file names. So do you a) lower the security of your webserver by disabling
those features of URLSCAN?
b) convince everyone to not end their subjects with a period or use the & symbol?
hmmmmm, what were the OWA guys thinking (or smoking?) when they set up the URL's to be
based on subject lines???????
Tom Gray, Network Engineer
All Kinds of Minds & The Center for Development and Learning
University of North Carolina at Chapel Hill
Internet: [EMAIL PROTECTED]
AT&T Net: (919)960-8888
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
