Re: OWA issue certain emails dont open

From: Andy Webb (awebb_at_swinc.com.spamsucks.com)
Date: 09/30/04


Date: Thu, 30 Sep 2004 01:43:58 -0500

The use of .. allows path traversal for things like
..\..\..\winnt\system32\cmd.exe. So, you have to be quite sure the drive
permissions are correct and perhaps set the Default Virtual Server to use a
non system drive.

The ampersand is used to separate parameters passed to cgi scripts, so is
less of a concern to enable on OWA servers.

"jas0n" <no@email.here> wrote in message
news:MPG.1bc546b2932839f49896f6@news.gradwell.com...
> Win2k / Exch2k / OWA
>
> In looking into a problem with certain emails not opening I found it was
> down to the IISlockdown tool, in particular the Urlscan.ini file. The
> following section of urlscan.ini disables the ability to view emails in
> OWA that contain these characters in the subject line:-
>
> [DenyUrlSequences]
> .. ; Don't allow directory traversals
> ./ ; Don't allow trailing dot on a directory name
> \ ; Don't allow backslashes in URL
> % ; Don't allow escaping after normalization
> & ; Don't allow multiple CGI processes to run on a single request
>
> the urlscan.ini file is located at:-
>
> C:\WINNT\system32\inetsrv\urlscan\urlscan.ini
>
> So, I understand it is a security risk to enable these but want to know
> exactly how much of a risk it is as currently we have an operational
> problem with people not able to read mails that contain those characters
> in the subject line which is very irritating for the users but I dont
> want to open up a major security hole just for the sake of it.
>
> Looking at the characters I am thinking that the majority of email that
> is currently a problem to the users would be the ones with '..' or '&'
> in the subject line so if I enabled just those then it doesnt open it
> all up to abuse .... or does it? I dont really understand the security
> issues surrounding the above [DenyUrlSequences] so .... can anyone
> elaborate on this please?



Relevant Pages

  • OWA issue certain emails dont open
    ... In looking into a problem with certain emails not opening I found it was ... OWA that contain these characters in the subject line:- ... I understand it is a security risk to enable these but want to know ... I dont really understand the security ...
    (microsoft.public.exchange.admin)
  • RE: Opening my email in outlook express
    ... > office updates and patches. ... > the emails in my folders will not display in the preview window. ... but it seems to be some kind of security feature installed with the ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • RE: mail relay problems setting up
    ... I have been working through the troubleshooter and foune the default SMTP ... > I understand that you cannot send emails to the other domain through ISP ... Open the properties page of the Default SMTP Virtual Server in Exchange ... > latest two log files to the Newsgroup. ...
    (microsoft.public.windows.server.sbs)
  • [UNIX] Linux Virtual Server/Secure Context Procfs Shared Permissions Flaw
    ... Get your security news from a reliable source. ... Linux Virtual Server "extends the Linux ... While auditing and experimenting with VServer procfs and vproc security ... and even the host system. ...
    (Securiteam)
  • Re: Lot of QUEUE in SMTP
    ... I saw the Relay seems to be ok there. ... -Right-click Default SMTP Virtual Server, ... > removing the anonymous authentication is a bad thing since people on ... >>recieve all the emails in hap hazard manner. ...
    (microsoft.public.exchange2000.general)