| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <C0DE961B.53A8%thor@hammerofgod.com> Date: Sat, 15 Jul 2006 12:54:51 -0700 From: "Thor (Hammer of God)" <thor@...merofgod.com> To: <medozero@...oo.com>, Bugtraq <bugtraq@...urityfocus.com> Subject: Re: Bybass HTTP ( extension files ) in ISA 2004 I cannot reproduce this on either ISA2004 or ISA2006. Configuring the HTTP filter to block file extensions functions as expected with or without the "#". You've probably misconfigured your firewall, or have some other issue. Can you please provide details on your configuration? T --- New Blackhat Vegas 2006 Training Offered! ISA Ninjitsu: Designing, Building, and Maintaining Enterprise Firewall and DMZ Topologies with Microsoft ISA Server 2004 http://www.blackhat.com/html/bh-usa-06/train-bh-us-06-tm-isa.html On 7/15/06 7:47 AM, "medozero@...oo.com" <medozero@...oo.com> spoketh to all: > hi ppl i just discover a bug in Microsoft Internet Security and Acceleration > (ISA) Server which make you able to Bybass HTTP ( extension files ) just add # > to the end of the file extension > > ex: www.site.com/file.zip# > > that will make you bybass the filter rule if the admin prevent you from > downlaoding the extension zip > > Copyright MedoZero 2006 > >
Powered by blists - more mailing lists