You know it's configurable, right? You know there's a q-article about that, right?
URLScan is a great tool. It helps secure my web server. I don't use templates for squat, except as a starting point. They don't replace a well-qualified administrator. Also, I tell my users to quit using & and % in their email subjects and filenames that they want to access by OWA. There are other tools, yes, but they're not FREE. > -----Original Message----- > From: Tom.Gray [mailto:[EMAIL PROTECTED]] > Posted At: Tuesday, October 01, 2002 10:40 AM > Posted To: MSExchange Mailing List > Conversation: OT: have you ever heard about MiraPoint > Subject: Another reason to be careful with OWA and URLSCAN > > > > URLSCAN is a great tool. It helps secure your web server. > If you use the Outlook Web Access template when installing > URLSCAN you should be "good to go", right? > > WRONG! URLSCAN wreaks havoc with OWA. > > First, remember that with OWA the SUBJECT line of a mail > message is the FILE NAME. So if you are logged into OWA and > want to read a message with subject: > I want to hold your hand > Your browser sends a URL like the following > > htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand.eml > > URLSCAN examines that URL to make sure it isn't evil. Looks > good so far. > > If the subject is: > I want to hold your hand. > > The url would be > > htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand..eml > > Since there are two dots (..) URLSCAN Rejects it. > > And if the subject is: > I want to hold your hand & foot > The URL would be > > htps:/servername/username/inbox/i%20want%20to%20hold%your%20ha > nd%20%26%20foot.eml > > Since there is an "&" (or hex 26) URLSCAN Rejects it. > > > Now how common is a period at the end of a subject in email? > How common is the perfectly RFC822 legal "&" in the subject > of a message? > > There are truly good reasons to reject those chars/patterns > as URL's, but they are allowed as file names. So do you a) > lower the security of your webserver by disabling those > features of URLSCAN? > b) convince everyone to not end their subjects with a period > or use the & symbol? > > hmmmmm, what were the OWA guys thinking (or smoking?) when > they set up the URL's to be based on subject lines??????? > > > > Tom Gray, Network Engineer > All Kinds of Minds & The Center for Development and Learning > University of North Carolina at Chapel Hill > Internet: [EMAIL PROTECTED] > AT&T Net: (919)960-8888 > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
