Does that also work for ISA 2000? John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Wednesday, January 05, 2005 9:14 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Ain't the HTTP Filter Just The Kewlest Ever?!? > > http://www.ISAserver.org > > Done; http://isatools.org/block_inject.vbs is the script of choice. > You should see it on ISATools.org also... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Wednesday, January 05, 2005 8:18 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Ain't the HTTP Filter Just The Kewlest Ever?!? > > http://www.ISAserver.org > > > I was wandering through my ISA logs (I have no life; I admit it) and I > discovered a crappy little trick Fandango is using to insert ads into > your browser (Steve; you reading?): > > > > http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E% > 0D%0A%0A%3C%21-- > %0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20n > ew%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Remo > te%20ser > vers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS.s > trNUrl > %20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0- > 0%3B > 0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%25 > 3fhttp%3A// > m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20n > ew%20Object%28%29%3B%0AgEbAd.interactions%5B%22_eyeblaster%22%5D%20 > %3D%2 > 0%22ebN%3Dhttp%3A//ad.doubleclick.net/click%253Bh%3Dv3%7C31f4%7C2%7C0 > %7C > %252a%7Cm%253B12979394%253B0-0%253B0%253B5755652%253B1- > 468%7C60%253B8301 > 289%7C8319185%7C1%253B%253B%257Esscs%253D%253fhttp%3A//m3.doublecli > ck.ne > t%3B%22%3B%0A//-- > %3E%3C/script%3E%3Cscript%20src%3D%27http%3A//ds.servin > g-sys.com/BurstingScript/ebServing.js%27%3E%3C/script%3E > <http://www.fandango.com/eyeblaster/addineyeV2.html?strHTML=%3Cscript%3E > %0D%0A%0A%3C%21-- > %0Avar%20gfEbInIframe%3Dfalse%3B%0Avar%20gEbAd%20%3D%20 > new%20Object%28%29%3B%0AgEbAd.nFlightID%20%3D%2061803%3B%0A//Rem > ote%20se > rvers%0AgEbAd.playRS%20%3D%20new%20Object%28%29%3B%0AgEbAd.playRS. > strNUr > l%20%3D%20%22http%3A//ad.doubleclick.net/imp%3Bv1%3Bi%3B12979394%3B0 > -0%3 > B0%3B5755652%3B468%7C60%3B8301289%7C8319185%7C1%3B%3Bcs%3Dy%2 > 53fhttp%3A/ > /m3.doubleclick.net%22%3B%0A//Interactions%0AgEbAd.interactions%20%3D%20 > new%20Objec> > > > > ..luckily, since I run my own blocking scripts, the HTTP Filter saw the > "%0D%0A" sequence and said "hell NO!" > > "12217 0x80 Blocked by the HTTP Security filter: URL > contains sequences which are disallowed" > > > > ..ok; you may ask - what does "%0D%0A " mean to me? > > When decoded, "%0A%0D" translates to <CR><LF>; something that should > NEVER exist in a URL. > > There are also other characters that are normally associated with a > technique called "script injection"; a method whereby the sender tricks > your browser or server into doing something you'd really rather it > didn't. > > Those characters are shown as "script" and "/script" surrounded by "%3C" > and "%3E"; "<" and ">", respectively. This is an older (pretty useless, > too) script injection method. > > They also try to obfuscate (developer term used to obfuscate the meaning > of the conversation) other characters that might trigger filtering > mechanisms, such as: > > "http%3A//" (translates to http://). > > > > Since none of my current scripts include the "%3Cscript" sequence, I'll > create another blocking definition and post it. > > > Needless to say, Fandango just made the top of my sh1tlist... > > > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx