Strange http filter result - was reproducible (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering



Message


WyldWolf -> Strange http filter result - was reproducible (4.Mar.2005 8:59:00 PM)

One of my clients started having an issue logging into yahoo webmail. No recent changes had been made on the ISA 2004 server.

Something must have changed in the long URL string that is passed from yahoo.

Here's how I reproduced the problem. This was about a month ago so I haven't tried it again but this is how I fixed the problem.

Add the .com executable type as blocked in the http filter. Go to mail.yahoo.com, type any username and password and click login and receive a http filter error.

What I found, is that in the blocked list of file extensions in the filter was that removing the .com file type fixed the problem. So something in the string being passed was triggering the ISA to believe the user was downloading a .com executable file.

I was able to toggle on and off the .com blocking in the http filter and reproduce, but it only seemed to affect the yahoo mail site - I'm certain if it is a bug it could have affected other sites?

Has anyone else seen this issue?




WyldWolf -> RE: Strange http filter result - was reproducible (8.Mar.2005 5:39:00 AM)

Tom, have you run into this?




tshinder -> RE: Strange http filter result - was reproducible (10.Mar.2005 5:34:00 PM)

Hi WW,

Haven't heard of it until today. I'll test it out and see what happens.

Thanks!
Tom




tshinder -> RE: Strange http filter result - was reproducible (10.Mar.2005 5:49:00 PM)

Hi WW,

It appears that the security filter sees the ".com" entries after the "*" as part of a file name. I'll see if I can find out why.

Thanks!
Tom




WyldWolf -> RE: Strange http filter result - was reproducible (10.Mar.2005 5:52:00 PM)

Thanks, I haven't tested again since it happened, but it definitely was due to a change in the HUGE URL string passed when the mail login occurred, because it happened to a couple of clients at the same time and no ISA changes had been made.

I guess I had never thought about <.com> being a potentially dangerous extension to block, given .com being such a common domain extension.....all I can think it something in the string was confusing the URL parsing into thinking it was actually a .com file.




WyldWolf -> RE: Strange http filter result - was reproducible (10.Mar.2005 5:55:00 PM)

....And I never see it on my ISA because I'm not blocking any file types for myself. [Smile]




tshinder -> RE: Strange http filter result - was reproducible (10.Mar.2005 6:04:00 PM)

Hi WW,

If there is a blocked file extension in the URI after the FQDN (host name), then the filter blocks the site. So, the only place ".com" can be if you've blocked that file extension is after the host name.

HTH,
Tom




WyldWolf -> RE: Strange http filter result - was reproducible (10.Mar.2005 6:12:00 PM)

Tom,

That makes sense and is what I thought, but you have to admit then that adding <.com> as a blocked extension given the widespread use in domain names (and redirection URLS tacked on after the FQDN) is probably an extension to skip when blocking?




tshinder -> RE: Strange http filter result - was reproducible (10.Mar.2005 6:14:00 PM)

Hi WW,

You're right about that. Is guess we'll need to leave all the TLDs that we want to allow access to out.

Thanks!
Tom




WyldWolf -> RE: Strange http filter result - was reproducible (10.Mar.2005 6:23:00 PM)

Yea, I guess chalk it up as a bug, as for some reason most .com site redirections, etc. work without issues. The yahoo mail issue was certainly when the URL string they passed upon login changed, because it previously worked.

Unfortunatley there are still many malicious .com executable files out there, and it would be nice if the filter didn't misinterpret that .1% forcing us to remove that TLD.




jruelo -> RE: Strange http filter result - was reproducible (26.Mar.2005 2:46:00 PM)

WyldWolf,

Just installed the ISA server 2004 and Yahoo mail login's were blocked.

Can you please post the step by step procedure on how to allow Web Yahoo mail logins?

Thanks.




Page: [1]