(Let's keep this on the list for the benefit of all ;) Do you have separate URLScan installations on your FE and BE servers?
What's the name of the Excel file below? The %20 and %25 in the URLs below map to their character counterparts, and the %25 converts to % - disallowed. > -----Original Message----- > From: Byron Kennedy [mailto:[EMAIL PROTECTED] > Sent: Friday, March 21, 2003 3:24 PM > To: Erik Sojka > Subject: RE: urlscan debugging in owa 2000. Was > Double-clicking attachments in OWA 2000 gives 404 > > > Got ya. this is exactly what I've done so far. Just benchmarking my > thinking. Appreciate your follow-up Erik. OWA 2000 has only been > running a week and I think we've squashed most bugs by tweaking the > urlscan.ini. > > Here's an xls file that got filtered today. I obscured the username. > Trying to track it to a rule in the ini. Thoughts? > > <Snip> from test .ini > [DenyUrlSequences] > ;.. ; Don't allow directory traversals > ./ ; Don't allow trailing dot on a directory name > \ ; Don't allow backslashes in URL > ;% ; Don't allow escaping after normalization (causing problems) > & ; Don't allow multiple CGI processes to run on a single request > ;: ; per Q309677 > > <snip from today's test log> > > [03-21-2003 - 07:30:14] Client at 67.122.251.230: URL > normalization was > not complete after one pass. Request will be rejected. Site > Instance='1', Raw > URL='/exchange/user.name/Sent%20Items/PROPOSAL%20PIPELINE-2.EM > L/1_multip > art/PROPOSALpipeline%2520BF%252003-13-03.xls' > > Cheers-byron > > -----Original Message----- > From: Erik Sojka [mailto:[EMAIL PROTECTED] > Sent: Friday, March 21, 2003 5:33 AM > To: Exchange Discussions > Subject: RE: Double-clicking attachments in OWA 2000 gives 404 > > > I'll look at ours and get back to yours; > > Be aware that if you are 100% patched and up to date on your IIS code, > you may be able to completely remove some of the entries that are > intended to protect against exploits that are already protected by a > patch. We compromised and removed some redundant entries > (removed ".." > but kept ".\" to protect against the CMD.EXE exploit). > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]