OWA issue certain emails dont open

Win2k / Exch2k / OWA

In looking into a problem with certain emails not opening I found it was 
down to the IISlockdown tool, in particular the Urlscan.ini file. The 
following section of urlscan.ini disables the ability to view emails in 
OWA that contain these characters in the subject line:-

[DenyUrlSequences]
...  ; Don't allow directory traversals
../  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request

the urlscan.ini file is located at:-

C:\WINNT\system32\inetsrv\urlscan\urlscan.ini

So, I understand it is a security risk to enable these but want to know 
exactly how much of a risk it is as currently we have an operational 
problem with people not able to read mails that contain those characters 
in the subject line which is very irritating for the users but I dont 
want to open up a major security hole just for the sake of it.

Looking at the characters I am thinking that the majority of email that 
is currently a problem to the users would be the ones with '..' or '&' 
in the subject line so if I enabled just those then it doesnt open it 
all up to abuse .... or does it? I dont really understand the security 
issues surrounding the above [DenyUrlSequences] so .... can anyone 
elaborate on this please?
0
no9891 (13)
9/29/2004 10:25:31 PM
exchange.admin 57650 articles. 2 followers. Follow

3 Replies
440 Views

Similar Articles

[PageSpeed] 2

The use of .. allows path traversal for things like 
...\..\..\winnt\system32\cmd.exe.  So, you have to be quite sure the drive 
permissions are correct and perhaps set the Default Virtual Server to use a 
non system drive.

The ampersand is used to separate parameters passed to cgi scripts, so is 
less of a concern to enable on OWA servers.

"jas0n" <no@email.here> wrote in message 
news:MPG.1bc546b2932839f49896f6@news.gradwell.com...
> Win2k / Exch2k / OWA
>
> In looking into a problem with certain emails not opening I found it was
> down to the IISlockdown tool, in particular the Urlscan.ini file. The
> following section of urlscan.ini disables the ability to view emails in
> OWA that contain these characters in the subject line:-
>
> [DenyUrlSequences]
> ..  ; Don't allow directory traversals
> ./  ; Don't allow trailing dot on a directory name
> \   ; Don't allow backslashes in URL
> %   ; Don't allow escaping after normalization
> &   ; Don't allow multiple CGI processes to run on a single request
>
> the urlscan.ini file is located at:-
>
> C:\WINNT\system32\inetsrv\urlscan\urlscan.ini
>
> So, I understand it is a security risk to enable these but want to know
> exactly how much of a risk it is as currently we have an operational
> problem with people not able to read mails that contain those characters
> in the subject line which is very irritating for the users but I dont
> want to open up a major security hole just for the sake of it.
>
> Looking at the characters I am thinking that the majority of email that
> is currently a problem to the users would be the ones with '..' or '&'
> in the subject line so if I enabled just those then it doesnt open it
> all up to abuse .... or does it? I dont really understand the security
> issues surrounding the above [DenyUrlSequences] so .... can anyone
> elaborate on this please? 


0
awebb7472 (650)
9/30/2004 6:43:58 AM
In article <#EuNijrpEHA.3896@TK2MSFTNGP15.phx.gbl>, 
awebb@swinc.com.spamsucks.com says...
> The use of .. allows path traversal for things like 
> ..\..\..\winnt\system32\cmd.exe.  So, you have to be quite sure the drive 
> permissions are correct and perhaps set the Default Virtual Server to use a 
> non system drive.
> 
> The ampersand is used to separate parameters passed to cgi scripts, so is 
> less of a concern to enable on OWA servers.

so if i enabled the '..' and also the ampersand ('&') but did not allow 
'\' then this would effectively allow more mail to be opened by the 
users but with not much in the way of security compromised? am i right 
there?

.... the other thing is I guess why on earth does the subject line get 
scanned for these things anyway as surely its just a passive thing and 
not possible to execute anything from a subject line ..... or is it!?
0
no9891 (13)
9/30/2004 7:51:43 AM
Well, OWA uses the message subject as part of the URL, so that's why it's 
being scanned.

It is possible to secure your system in such a way that you don't need to 
block these characters.  You cannot solve it by blocking the "\" character 
though.

So, while it's not possible to execute something from a subject line, it's 
not possible from the perspective of URLSCAN to distinguish a subject line 
from any other potentially malicious URL.


"jas0n" <no@email.here> wrote in message 
news:MPG.1bc5cb6970a1fa49896f9@news.gradwell.com...
> In article <#EuNijrpEHA.3896@TK2MSFTNGP15.phx.gbl>,
> awebb@swinc.com.spamsucks.com says...
>> The use of .. allows path traversal for things like
>> ..\..\..\winnt\system32\cmd.exe.  So, you have to be quite sure the drive
>> permissions are correct and perhaps set the Default Virtual Server to use 
>> a
>> non system drive.
>>
>> The ampersand is used to separate parameters passed to cgi scripts, so is
>> less of a concern to enable on OWA servers.
>
> so if i enabled the '..' and also the ampersand ('&') but did not allow
> '\' then this would effectively allow more mail to be opened by the
> users but with not much in the way of security compromised? am i right
> there?
>
> ... the other thing is I guess why on earth does the subject line get
> scanned for these things anyway as surely its just a passive thing and
> not possible to execute anything from a subject line ..... or is it!? 


0
awebb7472 (650)
10/2/2004 5:26:19 AM
Reply:

Similar Artilces:

Freeze Excel Spreadsheet till template open first then spreadsheet
Hi, When I export the data from Access 2002 to excel spreadsheet after select excel templates. I couldn't open the spreadsheet until i open the template and then closed the template. I open the spreadsheet where i get the data from Access 2002. It works. Here is the area that I have trouble with. 'Hide warnings on the spreadsheet ExcellApplication.DisplayAlerts = False 'Save the workbook ExcellApplication.ActiveWorkbook.Save 'Turn spreadsheet warnings back on ExcellApplication.DisplayAlerts = True 'Make it visible ExcellApplication.V...

Problems with creating a newsletter
I chose the form "Newsletter - email". I have created a 3 page newsletter. Now, I have NO IDEA how to send it out as an email. I do not want to send it as an attachment. I cannot figure out which "save as" format or what I need to do so that i can email this newsletter. Is there a website that goes through how to do this? Am I correct when I say that it has to be html in order for me to send it as email? That is not one of the options. Any help you give me would be greatly appreciated. Thank you, Markis www.adreamforabetterworld.com ...

Opening publisher 97 with a later version
I have publisher 97 on my windows xp and it works fine. However, I had someone refine some work I had done and apparently they used a later version of Publisher because when I loaded their CD, I got the message "Publisher cannot load files from a different version" What can I do--does this mean I have to buy a later version to match the version he used, or do I have to buy one of those programs that can open other programs. If I do the later, will I be able to use my 97 version to make changes once I get the files open on the later version Thanks rjda Refer to http://www.mvps....

open two different Access reports
Hi, I was wondering if i can get some help here. I have two different reports that i want to open when a user clicks a button to view the reports for printing. Is there any way of popping them up at the same time in VBA? Thank you in advance Associates wrote: >Hi, > >I was wondering if i can get some help here. I have two different reports >that i want to open when a user clicks a button to view the reports for >printing. Is there any way of popping them up at the same time in VBA? > >Thank you in advance Yes. Call the DoCmd.OpenReport command twic...

Send to certain person using specific email account
I send an email to a certain receipient but don't want to use the default email account. Is it possible that when I send to them (plain text) , that it will choose the other account I want to use to send it? Please advise how I set this up. Thanks. I do not believe that this can be achieved automatically through standard use of Outlook as you need to manually specify the name of the account to send from if different than the default. However, it would be possible using the Outlook object model. An Addin would need to be developed that monitored each mail item prior to sending. If the d...

Unable to open Outlook Express after upgrade to Win. XP
I upgraded from windows98 to windows XP Pro. Now when I try to use OE I get two error messages. "Outlook Express could not be started. The application was unable to open the OE message store. Your compter may be out of memory or your disk is full.....0x800c012e,3" "OE could not be started because MSOE.DLL could not be initialized. OE maynot be installd correctly" I found a similiar problem fix for window2000 which said to delete OE, rename the old folder, then edit the registry and reinstall. I did the above but was not allowed to rename the old folder and th...

Resolving Email Address to existing contact problem
Has anyone else come across this issue in MSCRM3.0? - when you attempt to resolve an email address to an existing contact in CRM (that does not currently have an email address stored in their details) the contact resolves OK but does not update the email address in the contacts details. Is this by design, or have I found a bug? ...

Opening an *.MSG file with it's respective attachment.
Hello, The file *.MSG is a message file. This can be viewed by any editor, like Notepad. However, when there's an attachment to it, we see garbage. Is there a way to open the attachments present inside the *.MSG files ? Thank you Yes, by opening it with Outlook. -- Roady [MVP] www.sparnaaij.net Microsoft Office and Microsoft Office related News Also Outlook FAQ, How To's, Downloads and more... Tips of the month: -Create your own fully customized Toolbar -Creating a Classic View in Outlook 2003 Subscribe to the newsletter to receive news and tips & tricks in your mailbox!...

HELP Recovering addresses and email from Outlook 2003
I had some serious driver issues that required re-installing XP from disc. I did use the backup option and have a backup of all the old data. And of course had to reinstall Office 2003. Will third party software restore my old email and addresses or am I out of luck?? Thanks for the help texraid wrote: > I had some serious driver issues that required re-installing XP from > disc. I did use the backup option and have a backup of all the old > data. And of course had to reinstall Office 2003. > > Will third party software restore my old email and addresses or am I > out of lu...

opening .pst archives
I am trying to open an outlook e-mail archive file (pst) that was made when I had Office 98 and transferred to my new computer (Office 2003 Pro). I am looking for an old e-mail that has now become evidence in a lawsuit. Can anyone help? You didn't say if the PST file was on a CDR/RW, hard drive, or network share. In any case, the PST file must be located on a local/network drive where you have full access (read, write, modify, delete, .etc) rights. Once the file is located in said place, you can open the PST file via File | Open | Outlook Data File. To close the PST file when you ...

Excel Opens Without Displaying Workbook
I am having issues with opening an Excel file. The file opens, but the workbook is not displayed. I tried the resolution in the article XL97: Excel Opens Without Displaying Workbook (http://support.microsoft.com/default.aspx?scid=kb;en-us;158996&Product=xlw97), but neither of the resolutions fixed the problem. Any suggestions?? Are you using Excel 97? -John Baughman Fort Collins, CO >-----Original Message----- >I am having issues with opening an Excel file. The file opens, but the workbook is not displayed. I tried the resolution in the article XL97: Excel Opens Without Di...

Office 2003 Service Pack 3--subsequent problems opening Publisher
I run Publisher 2003 on Windows XP. On June 13, I updated my system with Office 2003 Service Pack 3 so that I could open Word documents with the file ext docx. Subsequent to the Service Pack 3 installation, whenever I open a Publisher file (which I created), I get the following message: "Publisher has detected a problem in the file you are trying to open. If you are certain that this file came from a trusted source and does not contain harmful information, click OK." What is causing this and is there a way to stop this pop-up message? All publications? Error message when you...

Can't open 2005 data file after reinstalling Money 2005
I am experiencing a recurring problem. I have had to reinstall Windows XP and MS Money 2005. I am now unable to open my previously converted 2005 file or restore any backup version. I consistently get the following error message: "Money cannot locate filename or cannot open it, possibly because it is a read-only file, you do not have permission to change it, or your disk drive is write- protected. If you have chosen the correct file and it cannot be accessed, you will need to click OK and then Restore your most recent backup file." Any help or thoughts would be greatly ap...

Multiple copies of email in "Forward to"contact
HIe, I am running Exchnage 2003. My CEO has a conatct in our organisation that refer to his blackberry contact. I have set the forwarding to also keep a copy in his mailbox. What happens is that three copies of his forwarded email hit his blackberry account! Only one hits his internal mailbox. What I ahve determined is that the front end Exchange server seems to be creating the additional copies. Is this how its meant to be (don think so cos its such a nuisance and my CEO keeps complaining about it). How do I tell the front end server that this guy's mail server is the one that...

Opening pub files created with older Publisher versions #2
I have just upgraded to Publisher 2003 from 2000 and am having trouble with pub files sent to me for our chuch newsletter which is using Publisher 97 The text is not wrapping around graphics boxes. Can I fix this? I really don't want to go back to Pub 200 Thank Richard this is caused by Publisher 97 not been printer independent. Even if you went back to Publisher 2000, unless you have the identical font versions and printer driver you would have issues with formatting. It sounds like the person sending you the file has a garbage HP inkjet printer. Get them to install the HP5P laser p...

Help me identify my missing permission (Cannot open public folder) -2147217843 (Maybe Authentication Fails?)
The following snippet of code throws an error number -2147217843. When I googled this error code, I see many references to authentication failed. I am assuming my problem is some kind of permission related problem on the "MyNewFolder" public folder. -- start code --- Dim objFolder As New CDO.Folder Dim f As ADODB.Field 'sURL is like: file://./backofficestorage/mydomain.com/Public Folders/MyNewFolder/ objFolder.DataSource.Open sURL, , adModeReadWrite, adFailIfNotExists --- end code -- I have code that runs before this that actually creates the "MyNewFolder" publ...

Sending Email #6
When sending e-mail I heep getting it bounced back with the following message; Your message did not reach some or all of the intended recipients. Subject: Sent: 1/12/04 4:34 PM The following recipient(s) could not be reached: 'name' on 1/12/04 4:34 PM 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) Why does this keep happening? Receiving e-mail is not a problem. Generally, this error message means that the email address to which it refers is not accurate. Go to your address book and carefully check the spelling and ...

opening a .docx with word 2004
Version: 2004 Operating System: Mac OS X 10.3 (Panther) How can I open a .docx attachment that has been sent to me with word 2004?? Can I convert it somehow at my end or does it have to be converted from the sender end? Thanks for any help... <cscs@sympatico.ca> wrote: > How can I open a .docx attachment that has been sent to me with word > 2004?? Can I convert it somehow at my end or does it have to be > converted from the sender end? Make sure that Office is up to date (or at least in version 11.5.0 - the altest version being 11.5.1) and install the XML convertrs you'...

VCard issue #2
This is a weird problem, but when I send a vcard to someone, it shows up in my sent items as a vcf file, and has a vcard icon on it, but when the recipient gets the VCard, it shows up as msg file, with an envelope icon as the attachment. When I open it, nothing is there - it's empty. I can't find anything regarding this problem on google or MS's website. Anybody have any ideas? Is it a problem with Outlook? Do I need to do a detect and repair, a reinstallation? Thanks for your help! Does the same happen when you send a message to yourself? Is he/she able to see it w...

OWA Calendar Views
I am hosting an Exchange 2003 SP1 server with many users connecting via OWA. Many of the users (including my boss) are not fond of the 7 day view and much prefer the 5 day "Work Week" view within Outlook. Are there any modules that I can load to implement this "Work Week" view within OWA? I am aware of the control click method in the OWA calendar but my boss does not like that solution. Thanks in advance, Nick ...

Effectively stoping open relay.
I have a client who started using exchange 2003 few days back. This client is having more than 12 subnets starting from 172.27.50.0, 172.16.0.0 to 172.27.0.0 and 10.172.172.0 & 10.172.173.0 subnets in different location in town which are conneted by DSL. This users are connecting to the Exchange server 172.16.5.25. Most of these users are POP3 users. I have 2 SMTP Virtual Server running. Default SMTP Virtual server 172.16.5.25 and the second for Externel. In the Mail connector I have added only the external as the local bridgehead server. In the relay properties of the internal I...

OWA jumping mouse
I have two computers on my network that are having an interesting issue. When they are creating a message and typing away in the body of the message, randomly when they hit a key, any key, they system will act as if the mouse was clicked. If the mouse is over the send button, it would have sent the email. If the mouse was over the start button, the start menu would have come up. Where ever the mouse was left at, it will act as if it was clicked. It is very random but often. This only happens in OWA, not in outlook or any other place. Both systems are running XP pro SP2 with IE 6 SP2. ...

Merge code issues with Publisher 2003
It seems whenever the data source is altered, the merge code fields have to be reinserted in the Publisher document. Is this normal? The data source starts in Excel and is then saved as a .txt file to retain number formatting on final merge. ...

automating email marketing with workflow in CRM 4.0
Hello, I am attempting to prepare a client demo that demonstrates some of the features of Microsoft CRM 4. The potential client is a staffing agency, and I have spent some time thinking about how they might use the product. Here is a business process I have thought up that, if I could get it to work, would be great to show at a demo. 1. An account calls about an opportunity. The opportunity is entered. The opportunity has certain skills attached to it, such as: SQL Server, Linux, C#, etc 2. Contacts (candidates) also have certain skills attached to them, such as: SQL Server, Linux, C...

CRM Email Displays Size=2>
One of my users is experiencing an issue when they save an email that is tracked within CRM the email displays in CRM with "Size=2>" directly in front of certain lines of the email. So for example "Size=2>" will appear in front of someone's comments in the email or in front of their name. Does anyone know why "Size=2>" is displaying in front of the lines of an email? Thanks. Mike H. "Mike H." wrote: > One of my users is experiencing an issue when they save an email that is > tracked within CRM the email displays in CRM wit...