Re: OWA issue certain emails dont open

From: Andy Webb (awebb_at_swinc.com.spamsucks.com)
Date: 09/30/04 

Date: Thu, 30 Sep 2004 01:43:58 -0500

The use of .. allows path traversal for things like
..\..\..\winnt\system32\cmd.exe. So, you have to be quite sure the drive
permissions are correct and perhaps set the Default Virtual Server to use a
non system drive.

The ampersand is used to separate parameters passed to cgi scripts, so is
less of a concern to enable on OWA servers.

"jas0n" <no@email.here> wrote in message
news:MPG.1bc546b2932839f49896f6@news.gradwell.com...
> Win2k / Exch2k / OWA
>
> In looking into a problem with certain emails not opening I found it was
> down to the IISlockdown tool, in particular the Urlscan.ini file. The
> following section of urlscan.ini disables the ability to view emails in
> OWA that contain these characters in the subject line:-
>
> [DenyUrlSequences]
> .. ; Don't allow directory traversals
> ./ ; Don't allow trailing dot on a directory name
> \ ; Don't allow backslashes in URL
> % ; Don't allow escaping after normalization
> & ; Don't allow multiple CGI processes to run on a single request
>
> the urlscan.ini file is located at:-
>
> C:\WINNT\system32\inetsrv\urlscan\urlscan.ini
>
> So, I understand it is a security risk to enable these but want to know
> exactly how much of a risk it is as currently we have an operational
> problem with people not able to read mails that contain those characters
> in the subject line which is very irritating for the users but I dont
> want to open up a major security hole just for the sake of it.
>
> Looking at the characters I am thinking that the majority of email that
> is currently a problem to the users would be the ones with '..' or '&'
> in the subject line so if I enabled just those then it doesnt open it
> all up to abuse .... or does it? I dont really understand the security
> issues surrounding the above [DenyUrlSequences] so .... can anyone
> elaborate on this please?

Relevant Pages

  • OWA issue certain emails dont open
    ... In looking into a problem with certain emails not opening I found it was ... OWA that contain these characters in the subject line:- ... I understand it is a security risk to enable these but want to know ... I dont really understand the security ...
    (microsoft.public.exchange.admin)
  • RE: Height of paranoia
    ... Have you also thought that recipients may have forwarded these on by ... when-especially if you have unique logins for the admins. ... see any security benefit from that, ... How to secure their emails from exchange admins (it's the height, ...
    (Security-Basics)
  • RE: Height of paranoia
    ... PC shutdown by 7pm, disabled the port, or firewall it. ... emails of other, unless the direction approves it" (patch it with a more ... "Everything that can fail, will fail. ... I am the security guy. ...
    (Security-Basics)
  • RE: Opening my email in outlook express
    ... > office updates and patches. ... > the emails in my folders will not display in the preview window. ... but it seems to be some kind of security feature installed with the ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Lot of QUEUE in SMTP
    ... I saw the Relay seems to be ok there. ... -Right-click Default SMTP Virtual Server, ... > removing the anonymous authentication is a bad thing since people on ... >>recieve all the emails in hap hazard manner. ...
    (microsoft.public.exchange2000.general)