OWA and URLScan

From: Deus, Attonbitus (Thor@HammerofGod.com)
Date: 04/19/02

• Previous message: Sean Waddell: "Re: Microsoft Security Bulletin MS01-022"
• Next in thread: John Allhiser: "RE: OWA and URLScan"
• Reply: John Allhiser: "RE: OWA and URLScan"
• Reply: Mike Brentlinger: "Re: OWA and URLScan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 19 Apr 2002 07:05:18 -0700
To: Focus-MS <FOCUS-MS@SECURITYFOCUS.COM>
From: "Deus, Attonbitus" <Thor@HammerofGod.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings!

In Exchange2000, emails delivered to one's box are saved as the subject
text with a .EML extension. For instance, this email will be saved in
Exchange2000 folders as "OWA and URLScan.EML"

Outlook Web Access, when reading emails, simply points to this filename in
order to preview or open the message. This email would have a link like
"https://www.domain.com/exchange/UserName/InBox/OWA and URLScan.EML"

By default, the URLScan DenyUrlSequences tag filters stuff like "..", "%",
and "&." So, if I get a message with a subject of "Check this out..." or
"Server Activity up 65%" or "You & Magni" the resultant filenames will
contain the characters that URLScan will filter out, which keeps me from
previewing or opening these emails in OWA.
i.e: ""https://www.domain.com/exchange/UserName/InBox/Check this
out....EML" will filter the ".." as if it were a parent dir tag.

How are those of you running OWA with URLScan working with this? Have you
removed the DenyUrlSequences tags? Is there some method to change the
filename nomenclature on Exchange2000 so that something like a message ID
is used?

I am aware of Q247466 which talks about certain characters in the subject
not working, such as "#" or "?", but that is a different scenario. This is
a URLScan issue...

Comments appreciated.

Cheers,

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPMAkHohsmyD15h5gEQIhrACg8WkTSiL1p7Rro+em8LaLym56xqMAn2oL
loxWrxcpQoorSmXUT44wxja/
=RzvY
-----END PGP SIGNATURE-----

---

• Previous message: Sean Waddell: "Re: Microsoft Security Bulletin MS01-022"
• Next in thread: John Allhiser: "RE: OWA and URLScan"
• Reply: John Allhiser: "RE: OWA and URLScan"
• Reply: Mike Brentlinger: "Re: OWA and URLScan"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: OWA and URLScan ... Subject: OWA and URLScan ... emails delivered to one's box are saved as the subject ... Exchange2000 folders as "OWA and URLScan.EML" ... How are those of you running OWA with URLScan working with this? ... (Focus-Microsoft) RE: OWA and URLScan ... Subject: OWA and URLScan ... emails delivered to one's box are saved as the subject ... Exchange2000 folders as "OWA and URLScan.EML" ... How are those of you running OWA with URLScan working with this? ... (Focus-Microsoft) Re: Some emails not reaching new user; other user cannot open one email ... URLSCAN would have been installed as part of the IIS Lockdown tool. ... > wonder she wasn't getting emails addressed to User2! ... >> been corrupted somehow in the Exchange upgrade. ... (microsoft.public.backoffice.smallbiz2000) Re: Some emails not reaching new user; other user cannot open one email ... URLSCAN would have been installed as part of the IIS Lockdown tool. ... > wonder she wasn't getting emails addressed to User2! ... >> been corrupted somehow in the Exchange upgrade. ... (microsoft.public.exchange2000.admin) RE: OWA Access & SMTP ... Thank you for posting in SBS newsgroup. ... >From your description, I understand you lose the OWA, Companyweb and send ... emails externally after removing CRM. ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-04