This is MS's explanation of what's happening with ISA 2004 SP2:
"ISA responds to a request with "Error Code: 502 Proxy Error. The HTTP
request includes a non-supported header. Contact your ISA Server
administrator. (12156)".
The likely reason for the behavior you're seeing in this case is that new
logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling. The
process for this attack is a bit involved and a whitepaper on the subject is
available here: https://www.watchfire.com/securearea/whitepapers.aspx
RFC-2616 defines two headers; "content-length" and "transfer-encoding:
chunked" for the same purpose; that of providing quantitative content
validation for the receiver and states *very clearly* that the server MUST
NOT combine them in the same response. If the server is configured such that
it does violate this edict, RFC-2616 then requires the receiving entity to
ignore the content-length value and instead use the chunked-encoding
technique to validate the length of the HTTP body. This places a processing
burden on the receiving entity (ISA, in this case), since a chunked-encoded
transfer can't be quantitatively validated until the transfer is completed.
In the case of a proxy, additional processing is imposed due to caching
behavior that may be dependent on content-size.
The reason those sites are either failing outright (www.delta.com) or
rendering poorly (www.sun.com) is because we chose to reject those responses
entirely. Since RFC-2616 clearly states "don't combine those headers" and
doing so is a demonstrably malicious act,
it seemed unlikely that ISA would cause problems for any other than
malicious sites, and in fact, our testing validated this belief. As it turns
out, there are quite a few legitimate sites out there that violate this part
of RFC-2616 and so we have had to rethink our answer to this problem."
FWIW,
Ray
From: Ray <sixsigma44 AT HOTMAIL DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] WSE0020008
Date: Tue, 14 Mar 2006 17:16:42 -0500
Well, that's bad news. There's a big mess with Microsoft's ISA 2004 Service
Pack 2 right now. As I understand it, the relevant RFC says that if both
are found, one of them (can't remember which) is supposed to be ignored. MS
decided it could be malicious and dropped the traffic instead. This
disrupted HTTP connections to www.delta.com, www.sun.com and others.
They're about to release a patch to comply with the RFC.
It sounds like exactly the same issue, but if those two web sites were
getting blocked, I'm sure someone would have screamed about it by now. It
is affecting OWA zip files. Do those emails have zip file attachments?
Ray
From: "Verweyen, Dirk" <verweyen AT KEMPER DOT DE>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] WSE0020008
Date: Tue, 14 Mar 2006 08:29:55 +0100
Hi,
i have the following error with my R60-Gateway.
Some people can not access all of her Emails in
Exchange Webaccess. The become the error:
----
Access denied due to security policy violation
Reject ID: 4413c581-0-112f3c3-7b6
----
In the policy i become than the following error:
----
reason: WSE0020008 found both content-length and transfer-encoding headers
in response
resource:
----
Do anyone know why this occurs? I found something similiar in the
secure knowledge but i have no access to this document.
Regards, Dirk
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
