Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Strange http filter result - was reproducible
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Strange http filter result - was reproducible - 4.Mar.2005 8:59:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
One of my clients started having an issue logging into yahoo webmail. No recent changes had been made on the ISA 2004 server.
Something must have changed in the long URL string that is passed from yahoo.
Here's how I reproduced the problem. This was about a month ago so I haven't tried it again but this is how I fixed the problem.
Add the .com executable type as blocked in the http filter. Go to mail.yahoo.com, type any username and password and click login and receive a http filter error.
What I found, is that in the blocked list of file extensions in the filter was that removing the .com file type fixed the problem. So something in the string being passed was triggering the ISA to believe the user was downloading a .com executable file.
I was able to toggle on and off the .com blocking in the http filter and reproduce, but it only seemed to affect the yahoo mail site - I'm certain if it is a bug it could have affected other sites?
Has anyone else seen this issue?
|
|
|
|
|
RE: Strange http filter result - was reproducible - 8.Mar.2005 5:39:00 AM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
Tom, have you run into this?
|
|
|
|
|
RE: Strange http filter result - was reproducible - 10.Mar.2005 5:34:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi WW,
Haven't heard of it until today. I'll test it out and see what happens.
Thanks!
Tom
|
|
|
|
|
RE: Strange http filter result - was reproducible - 10.Mar.2005 5:49:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi WW,
It appears that the security filter sees the ".com" entries after the "*" as part of a file name. I'll see if I can find out why.
Thanks!
Tom
|
|
|
|
|
RE: Strange http filter result - was reproducible - 10.Mar.2005 5:52:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
Thanks, I haven't tested again since it happened, but it definitely was due to a change in the HUGE URL string passed when the mail login occurred, because it happened to a couple of clients at the same time and no ISA changes had been made.
I guess I had never thought about <.com> being a potentially dangerous extension to block, given .com being such a common domain extension.....all I can think it something in the string was confusing the URL parsing into thinking it was actually a .com file.
|
|
|
|
|
RE: Strange http filter result - was reproducible - 10.Mar.2005 6:04:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi WW,
If there is a blocked file extension in the URI after the FQDN (host name), then the filter blocks the site. So, the only place ".com" can be if you've blocked that file extension is after the host name.
HTH,
Tom
|
|
|
|
|
RE: Strange http filter result - was reproducible - 10.Mar.2005 6:12:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
Tom,
That makes sense and is what I thought, but you have to admit then that adding <.com> as a blocked extension given the widespread use in domain names (and redirection URLS tacked on after the FQDN) is probably an extension to skip when blocking?
|
|
|
|
|
RE: Strange http filter result - was reproducible - 10.Mar.2005 6:14:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi WW,
You're right about that. Is guess we'll need to leave all the TLDs that we want to allow access to out.
Thanks!
Tom
|
|
|
|
|
RE: Strange http filter result - was reproducible - 10.Mar.2005 6:23:00 PM
|
|
|
WyldWolf
Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
|
Yea, I guess chalk it up as a bug, as for some reason most .com site redirections, etc. work without issues. The yahoo mail issue was certainly when the URL string they passed upon login changed, because it previously worked.
Unfortunatley there are still many malicious .com executable files out there, and it would be nice if the filter didn't misinterpret that .1% forcing us to remove that TLD.
|
|
|
|
|
RE: Strange http filter result - was reproducible - 26.Mar.2005 2:46:00 PM
|
|
|
jruelo
Posts: 22
Joined: 30.Nov.2002
Status: offline
|
WyldWolf,
Just installed the ISA server 2004 and Yahoo mail login's were blocked.
Can you please post the step by step procedure on how to allow Web Yahoo mail logins?
Thanks.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: Strange http filter result - was reproducible - ![[Smile]](/image/smiles/smile.gif)
