Article ID: 2622172 - Last Review: October 6, 2011 - Revision: 2.0

FIX: ISA 2006 blocks published website requests for URLs that include carriage returns (CR) or linefeeds (LF)

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this procedure in your particular environment. If you implement this procedure, take any appropriate additional steps to help protect the computer.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You publish a webpage through Microsoft Internet Security and Acceleration (ISA) Server 2006 by using Forms-Based Authentication.
  • You access this webpage by using a URL that contains an escaped carriage return ("%0D") or a linefeed ("%0A") in the URL.

In this scenario, ISA Server 2006 blocks access to the URL. Additionally, the ISA Web Proxy logs show a result code of 12232 for the denied request.

Note Keep in mind that this result code can also be logged because of other issues and that the URL that is logged would have to be reviewed for %0a or %0d characters to determine whether this is the issue that you experienced.
Back to the top

CAUSE

This problem occurs because the Forms Based Authentication filter blocks known cross-site scripting and related attacks. In this case, the filter is blocking response splitting attacks that also include carriage returns or linefeeds. However, valid URLs can also include these characters. For example, the IBM Rational Clearquest application is known to use carriage returns or linefeeds in its URLs.
Back to the top

RESOLUTION

To resolve this problem, install the ISA Server 2006 hotfix rollup package that is described in the following Microsoft Knowledge Base article:
2616326  (http://support.microsoft.com/kb/2616326/ ) Description of the ISA Server 2006 hotfix package: September 2011
Back to the top

MORE INFORMATION

Warning This procedure may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this procedure but are providing this information so that you can implement this procedure at your own discretion. Use this procedure at your own risk.

The following script will disable the default behavior in ISA Server 2006 Service Pack 1 and enable the ISA Server to allow URLs that contain carriage returns (CR) or linefeeds (LF) in the URL address. To use this script, follow these steps.

ImportantNote Disabling this default behavior of ISA Server 2006 SP1 (in order to accommodate such applications) could also enable ISA Server to potentially allow the URLs that have been specifically crafted for “cross-site request forgery” attacks when ISA Server uses Form Based Authentication.
  1. Start Notepad.
  2. Paste the following script into a new document.
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "AllowNewlineInURL"
Const SE_VPS_VALUE = true
 
Sub SetValue()
 
    ' Create the root object.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")
 
    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object
 
    ' Get references to the array object
    ' and to the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets
 
    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )
 
    If Err.Number <> 0 Then
        Err.Clear
 
        ' Add the item
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
       CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name
 
    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
    End If
 
    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
 
        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
 
        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError
 
            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If
 
End Sub
 
Sub CheckError()
 
    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If
 
End Sub
 
SetValue
  3. On the File menu, click Save As, and then save the file as AllowNewlineInURL.vbs.
  4. At a command prompt, type the following command, and then press Enter:
    cscript AllowNewlineInURL.vbs
To return to the default behavior in ISA Server 2006 Service Pack 1 to block URLs that might contain cross-site request forgery attacks when you use Form Based Authentication, follow these steps:
  1. Start Notepad, and then open the AllowNewlineInURL.vbs script.
  2. Locate the following line of code in the script. 
    Const SE_VPS_VALUE = true
  3. Change the code to the following line:
    Const SE_VPS_VALUE = false
  4. On the File menu, click Save.
  5. At a command prompt, type the following command, and then press Enter:
    cscript AllowNewlineInURL.vbs
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, when used with:
    • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
    • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
Back to the top
Keywords: 
kbfix kbqfe kbexpertiseadvanced kbsurveynew kbhotfixserver kbhotfixrollup KB2622172
Back to the top