 | ||
 SmartDefense XSS "script" problems | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-02-28 | |||
| |||
 SmartDefense XSS "script" problems Hi there! First some background: VPN-1 (Pro...using eval license until we migrate to new device with SmartCenter Pro) with a central license. R55 HFA_04, Hotfix 093 - Build 003. Management station is a Win2k3 server. VPN concentrator is SPLAT (R55 yada yada). In Smart Defense > Application Intelligence > Cross Site Scripting we have checked Configure Cross Site Scripting protection per web server. In the list, we have web servers listed, BLOCK shows "SCRIPT tag", and PROTECTED BY has "*All". Now when a user tries to upload a file to a SharePoint site that happens to have the string "script" in the filename, they get a REJECT in the log, and the browser times out. (enable_http_propfind is enabled for MS SharePoint compatibility.) This has been recreated consistently, including with an empty .TXT file named description.txt. Are they kidding? Absolutely *NO* script tags or html functions of that sort are being invoked, but the mere presence of the string "script" triggers SD to reject the traffic. We haven't purchased SmartUpdate for this device, so perhaps it has been fixed. Any experience, input, or criticism? Am I missing something obvious? Thanks! __________________ Verum hoc dicitur non simile sit cuicumque creditur ab istis quibus laboro. zencoder.net  |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
