You should use one method or the other... I think that's what the JiMTP 1.0
spec means by <Choice>. It confused me too at first.
Just select Block unless you've already got lots of "allow only," in which
case you'll remove .wmf and .emf if they are there.
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."
http://www.ISAserver.org
Hi Jim, I am a little confused, not the first time there!
If I do the first bit and select "block specified" and enter the detail, then select "allow specified" and remove the entries I end up with nothing entered when I go back to "block specified".
Surely I only want to carry out the "block specified" part?
Thanks
Andy
-----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, 5 January 2006 12:57 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
Updated:
HTTP filter settings (you all know how to get there).
1. Extensions: <choice> Set "block specified" Add .emf Description="application/x-msmetafile" Add .wmf Description="application/x-msmetafile" </choice> <choice> Set "allow specified" Remove .emf Remove .wmf </choice> <notachoice> Set "allow all" </notachoice>
2. Signatures: Name=WMF-1 Description="request file type trigger" Type="Request URL" Signature=".emf"
Name=WMF-2 Description="request file type trigger" Type="Request URL" Signature=".wmf"
Name=WMF-3 Description="response headers trigger" Type="Response Headers" HTTP Header="content-type" Signature="msmetafile"
Name=WMF-4 Description="response body file type trigger" Type="Response Body" Signature=".emf"
Name=WMF-5 Description="response body file type trigger" Type="Response Body" Signature=".wmf"
Name=WMF-6 Description="response body file header trigger" Type="Response Body" Signature="184Gmg"
WMF-6 is the kewl one because all binary files are base-64 encoded when transferred over HTTP and FTP. WMF files usually incorporate a predefined header value that resolves to the Base-64 signature in this definition. It's probably the same technique as the GFI filter, except not as smart.
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, January 04, 2006 16:03 To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
HTTP filter settings (you all know how to get there).
1. Extensions: <choice> Set "block specified" Add .emf Description="application/x-msmetafile" Add .wmf Description="application/x-msmetafile" </choice> <choice> Set "allow specified" Remove .emf Remove .wmf </choice> <notachoice> Set "allow all" </notachoice>
2. Signatures: Name=WMF-1 Description="request file type trigger" Type="Request URL" Signature=".emf"
Name=WMF-2 Description="request file type trigger" Type="Request URL" Signature=".wmf"
Name=WMF-3 Description="response headers trigger" Type="Response Headers" HTTP Header="content-type" Signature="msmetafile"
Name=WMF-4 Description="response body file type trigger" Type="Response Body" Signature=".emf"
Name=WMF-5 Description="response body file type trigger" Type="Response Body" Signature=".wmf"
Name=WMF-6 Description="response body file header trigger" Type="Response Body" Signature="184Gmg"
WMF-6 is the kewl one because all binary files are base-64 encoded when transferred over HTTP and FTP. WMF files usually incorporate a predefined header value that resolves to the Base-64 signature in this definition. It's probably the same technique as the GFI filter, except not as smart.
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, January 04, 2006 15:27 To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
Hey Jim,
Forget about the automation, just let us know what to do :)
Thanks! Tom
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
-----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, January 04, 2006 2:18 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
Sorry - I haven't. I'm working with MSRC to narrow down the definitions and automation for the ISA 2004 blocker.
------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, January 04, 2006 11:45 To: [ISAserver.org Discussion List] Subject: [isalist] RE: WMF Vunrability
http://www.ISAserver.org
Jim, did you read this? I'm wondering if the method described to "block extensions" is correct or not. Rather than using "Configure HTTP" and setting allowable extensions, I though one should explicitly
create a deny rule specifying both the .wmf extension *as well* as application/x-msmetafile as the MIME type. Incoming HTTP file associations are handled by MIME type, not file extension. Only when there is no MIME type handed down by the server is a file extension used (or when you do an actual file transfer, like with FTP.)
Comments on that?
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."
----- Original Message ----- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, January 04, 2006 11:24 AM Subject: [isalist] RE: WMF Vunrability
> http://www.ISAserver.org > > Hey guys, > > Check out > http://blogs.technet.com/jesper_johansson/archive/2006/01/02/4 16762.aspx > too > ;-) > > HTH, > Stefaan > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: woensdag 4 januari 2006 20:16 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vunrability > > http://www.ISAserver.org > > Hi Tim, > > I agree. There seems to be than the ususal amount of FUD associated with > this problem. :( > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > >> -----Original Message----- >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> Sent: Wednesday, January 04, 2006 1:01 PM >> To: [ISAserver.org Discussion List] >> Subject: [isalist] RE: WMF Vunrability >> >> http://www.ISAserver.org >> >> I wouldn't call it "program like behavior." They just contain both
>> metadata and rendering data in the same file (as I understand it.) >> >> Renaming the file to something like ".gif" or ".jpg" could still cause >> execution if loaded from a file, but only if the Picture and Fax >> Viewer was the default program for those file types. From a browser, >> for WP&FV to open it and parse the data, it has to be that MIME type >> (again, as I understand >> it.) >> >> While I've read here that the "way to do it" is how GFI does it, I've >> still not seen any information on why simple content filtering won't >> work. But then again, I read where Jim is working with MSRC to come >> up with a "workable" filter. It would be nice to get some >> authoritative, detailed information on why MIME and file type >> filtering *won't* work. >> >> t >> >> >> ----- >> "I may disapprove of what you say, >> but I will defend to the death your right to say it." >> >> >> ----- Original Message ----- >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >> Sent: Wednesday, January 04, 2006 10:31 AM >> Subject: [isalist] RE: WMF Vunrability >> >> >> http://www.ISAserver.org >> >> Hi Tim, >> >> Don't know about that, but it's a good question. But I have to wonder >> about other apps that open the WMF files. FWIU, WMF files have some >> program like behavior that allow it to call other programs if >> something doesn't work. >> >> How's that as a erudite description for a process? :) >> >> Tom >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://spaces.msn.com/members/drisa/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- ISA Firewalls >> **Who is John Galt?** >> >> >> >> > -----Original Message----- >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] >> > Sent: Wednesday, January 04, 2006 12:13 PM >> > To: [ISAserver.org Discussion List] >> > Subject: [isalist] RE: WMF Vunrability >> > >> > http://www.ISAserver.org >> > >> > But if he sets a differnt mime type, Fax Viewer won't open the >> > program, right? >> > >> > t >> > ----- >> > "I may disapprove of what you say, but I will defend to the death
>> > your right to say it." >> > >> > >> > ----- Original Message ----- >> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> >> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> >> > Sent: Wednesday, January 04, 2006 9:32 AM >> > Subject: [isalist] RE: WMF Vunrability >> > >> > >> > http://www.ISAserver.org >> > >> > Hi Jonathon, >> > >> > That won't work, because the scumbag can use any file name he wants. >> > Same goes with the MIME type. The MIME type is set at the Web >> > server, so the scumbag can associate any MIME type he wants. >> > >> > Tom >> > >> > Thomas W Shinder, M.D. >> > Site: www.isaserver.org >> > Blog: http://spaces.msn.com/members/drisa/ >> > Book: http://tinyurl.com/3xqb7 >> > MVP -- ISA Firewalls >> > **Who is John Galt?** >> > >> > >> > >> > > -----Original Message----- >> > > From: Jonathon J. Howey [mailto:Jonathon@xxxxxxx] >> > > Sent: Wednesday, January 04, 2006 11:25 AM >> > > To: [ISAserver.org Discussion List] >> > > Subject: [isalist] RE: WMF Vunrability >> > > >> > > http://www.ISAserver.org >> > > >> > > What I did to block it was: >> > > >> > > Internet Access Policy -> Protocols tab -> Filtering -> >> > Configure HTTP >> > > -> Extensions tab. Should be self explanatory from there. >> > > >> > > >> > > >> > > Jonathon J. Howey >> > > KPSA Compliance Management Inc. >> > > P 780.409.5620 >> > > F 780.409.5621 >> > > D 780.409.5628 >> > > C 780.965.8363 >> > > Jonathon@xxxxxxx >> > > >> > > Guiding the Future of Transportation www.KPSA.ca >> > > >> > > >> > > >> > > -----Original Message----- >> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] >> > > Sent: January 4, 2006 10:12 AM >> > > To: [ISAserver.org Discussion List] >> > > Subject: [isalist] RE: WMF Vunrability >> > > >> > > http://www.ISAserver.org >> > > >> > > He never stated what his "block" was. >> > > >> > > >> > > ------------------------------------------------------- >> > > Jim Harrison >> > > MCP(NT4, W2K), A+, Network+, PCG >> > > http://isaserver.org/Jim_Harrison/ >> > > http://isatools.org >> > > Read the help / books / articles! >> > > ------------------------------------------------------- >> > > >> > > >> > > -----Original Message----- >> > > From: Brian Boyes [mailto:BrianB@xxxxxxxxx] >> > > Sent: Wednesday, January 04, 2006 09:02 >> > > To: [ISAserver.org Discussion List] >> > > Subject: [isalist] RE: WMF Vunrability >> > > >> > > http://www.ISAserver.org >> > > >> > > > I have installed the "wmf" block to my ISA 2004 clients but >> > > I not sure >> > > >> > > > how to set this up for ISA 2000. >> > > > Could someone provide advice of the best way to do this. >> > > >> > > Did anyone ever post an answer? I'm curious about this >> "wmf block". >> > > >> > > Brian >> > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ahaigh@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
