• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Strange http filter result - was reproducible

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Strange http filter result - was reproducible Page: [1]
Login
Message << Older Topic   Newer Topic >>
Strange http filter result - was reproducible - 4.Mar.2005 8:59:00 PM   
WyldWolf

 

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
One of my clients started having an issue logging into yahoo webmail. No recent changes had been made on the ISA 2004 server.

Something must have changed in the long URL string that is passed from yahoo.

Here's how I reproduced the problem. This was about a month ago so I haven't tried it again but this is how I fixed the problem.

Add the .com executable type as blocked in the http filter. Go to mail.yahoo.com, type any username and password and click login and receive a http filter error.

What I found, is that in the blocked list of file extensions in the filter was that removing the .com file type fixed the problem. So something in the string being passed was triggering the ISA to believe the user was downloading a .com executable file.

I was able to toggle on and off the .com blocking in the http filter and reproduce, but it only seemed to affect the yahoo mail site - I'm certain if it is a bug it could have affected other sites?

Has anyone else seen this issue?
Post #: 1
RE: Strange http filter result - was reproducible - 8.Mar.2005 5:39:00 AM   
WyldWolf

 

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
Tom, have you run into this?

(in reply to WyldWolf)
Post #: 2
RE: Strange http filter result - was reproducible - 10.Mar.2005 5:34:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi WW,

Haven't heard of it until today. I'll test it out and see what happens.

Thanks!
Tom

(in reply to WyldWolf)
Post #: 3
RE: Strange http filter result - was reproducible - 10.Mar.2005 5:49:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi WW,

It appears that the security filter sees the ".com" entries after the "*" as part of a file name. I'll see if I can find out why.

Thanks!
Tom

(in reply to WyldWolf)
Post #: 4
RE: Strange http filter result - was reproducible - 10.Mar.2005 5:52:00 PM   
WyldWolf

 

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
Thanks, I haven't tested again since it happened, but it definitely was due to a change in the HUGE URL string passed when the mail login occurred, because it happened to a couple of clients at the same time and no ISA changes had been made.

I guess I had never thought about <.com> being a potentially dangerous extension to block, given .com being such a common domain extension.....all I can think it something in the string was confusing the URL parsing into thinking it was actually a .com file.

(in reply to WyldWolf)
Post #: 5
RE: Strange http filter result - was reproducible - 10.Mar.2005 5:55:00 PM   
WyldWolf

 

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
....And I never see it on my ISA because I'm not blocking any file types for myself. [Smile]

(in reply to WyldWolf)
Post #: 6
RE: Strange http filter result - was reproducible - 10.Mar.2005 6:04:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi WW,

If there is a blocked file extension in the URI after the FQDN (host name), then the filter blocks the site. So, the only place ".com" can be if you've blocked that file extension is after the host name.

HTH,
Tom

(in reply to WyldWolf)
Post #: 7
RE: Strange http filter result - was reproducible - 10.Mar.2005 6:12:00 PM   
WyldWolf

 

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
Tom,

That makes sense and is what I thought, but you have to admit then that adding <.com> as a blocked extension given the widespread use in domain names (and redirection URLS tacked on after the FQDN) is probably an extension to skip when blocking?

(in reply to WyldWolf)
Post #: 8
RE: Strange http filter result - was reproducible - 10.Mar.2005 6:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi WW,

You're right about that. Is guess we'll need to leave all the TLDs that we want to allow access to out.

Thanks!
Tom

(in reply to WyldWolf)
Post #: 9
RE: Strange http filter result - was reproducible - 10.Mar.2005 6:23:00 PM   
WyldWolf

 

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
Yea, I guess chalk it up as a bug, as for some reason most .com site redirections, etc. work without issues. The yahoo mail issue was certainly when the URL string they passed upon login changed, because it previously worked.

Unfortunatley there are still many malicious .com executable files out there, and it would be nice if the filter didn't misinterpret that .1% forcing us to remove that TLD.

(in reply to WyldWolf)
Post #: 10
RE: Strange http filter result - was reproducible - 26.Mar.2005 2:46:00 PM   
jruelo

 

Posts: 22
Joined: 30.Nov.2002
Status: offline
WyldWolf,

Just installed the ISA server 2004 and Yahoo mail login's were blocked.

Can you please post the step by step procedure on how to allow Web Yahoo mail logins?

Thanks.

(in reply to WyldWolf)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Strange http filter result - was reproducible Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts