Welcome to ISAserver.org

Strange http filter result - was reproducible

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Strange http filter result - was reproducible

Page: [1]

Message

<< Older Topic Newer Topic >>

Strange http filter result - was reproducible - 4.Mar.2005 8:59:00 PM

WyldWolf

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline

One of my clients started having an issue logging into yahoo webmail. No recent changes had been made on the ISA 2004 server.

Something must have changed in the long URL string that is passed from yahoo.

Here's how I reproduced the problem. This was about a month ago so I haven't tried it again but this is how I fixed the problem.

Add the .com executable type as blocked in the http filter. Go to mail.yahoo.com, type any username and password and click login and receive a http filter error.

What I found, is that in the blocked list of file extensions in the filter was that removing the .com file type fixed the problem. So something in the string being passed was triggering the ISA to believe the user was downloading a .com executable file.

I was able to toggle on and off the .com blocking in the http filter and reproduce, but it only seemed to affect the yahoo mail site - I'm certain if it is a bug it could have affected other sites?

Has anyone else seen this issue?

Post #: 1

Featured Links*

RE: Strange http filter result - was reproducible - 8.Mar.2005 5:39:00 AM

WyldWolf

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline

Tom, have you run into this?

(in reply to WyldWolf)

Post #: 2

RE: Strange http filter result - was reproducible - 10.Mar.2005 5:34:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi WW,

Haven't heard of it until today. I'll test it out and see what happens.

Thanks!
Tom

(in reply to WyldWolf)

Post #: 3

RE: Strange http filter result - was reproducible - 10.Mar.2005 5:49:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi WW,

It appears that the security filter sees the ".com" entries after the "*" as part of a file name. I'll see if I can find out why.

Thanks!
Tom

(in reply to WyldWolf)

Post #: 4

RE: Strange http filter result - was reproducible - 10.Mar.2005 5:52:00 PM

WyldWolf

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline

Thanks, I haven't tested again since it happened, but it definitely was due to a change in the HUGE URL string passed when the mail login occurred, because it happened to a couple of clients at the same time and no ISA changes had been made.

I guess I had never thought about <.com> being a potentially dangerous extension to block, given .com being such a common domain extension.....all I can think it something in the string was confusing the URL parsing into thinking it was actually a .com file.

(in reply to WyldWolf)

Post #: 5

RE: Strange http filter result - was reproducible - 10.Mar.2005 5:55:00 PM

WyldWolf

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline

....And I never see it on my ISA because I'm not blocking any file types for myself. [Smile]

(in reply to WyldWolf)

Post #: 6

RE: Strange http filter result - was reproducible - 10.Mar.2005 6:04:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi WW,

If there is a blocked file extension in the URI after the FQDN (host name), then the filter blocks the site. So, the only place ".com" can be if you've blocked that file extension is after the host name.

HTH,
Tom

(in reply to WyldWolf)

Post #: 7

RE: Strange http filter result - was reproducible - 10.Mar.2005 6:12:00 PM

WyldWolf

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline

Tom,

That makes sense and is what I thought, but you have to admit then that adding <.com> as a blocked extension given the widespread use in domain names (and redirection URLS tacked on after the FQDN) is probably an extension to skip when blocking?

(in reply to WyldWolf)

Post #: 8

RE: Strange http filter result - was reproducible - 10.Mar.2005 6:14:00 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi WW,

You're right about that. Is guess we'll need to leave all the TLDs that we want to allow access to out.

Thanks!
Tom

(in reply to WyldWolf)

Post #: 9

RE: Strange http filter result - was reproducible - 10.Mar.2005 6:23:00 PM

WyldWolf

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline

Yea, I guess chalk it up as a bug, as for some reason most .com site redirections, etc. work without issues. The yahoo mail issue was certainly when the URL string they passed upon login changed, because it previously worked.

Unfortunatley there are still many malicious .com executable files out there, and it would be nice if the filter didn't misinterpret that .1% forcing us to remove that TLD.

(in reply to WyldWolf)

Post #: 10

RE: Strange http filter result - was reproducible - 26.Mar.2005 2:46:00 PM

jruelo

Posts: 22
Joined: 30.Nov.2002
Status: offline

WyldWolf,

Just installed the ISA server 2004 and Yahoo mail login's were blocked.

Can you please post the step by step procedure on how to allow Web Yahoo mail logins?

Thanks.

(in reply to WyldWolf)

Post #: 11