ISA Clients, "502 Proxy Error. The HTTP request includes a non-supported he

I guess it got lost in the dissertation, eh?

This fix will require only installation - there are no custom settings to
apply.

ISA will use the RFC-defined action; it will ignore the conteont-length
header and instead use the chunked data to perform quantitative validation.

--
Jim Harrison (ISA SE)
Read the help / books / articles / blogs!

This is posting is provided "as is" with no warranties, and confers no rights.


"ZVR" wrote:

> Thanks for the update Jim! One question though. How is the hotfix handling
> the sites that are not RFC-2616 compliant? Once we apply the hotfix, do we
> get a new setting/tab/view etc somewhere in the ISA console that allows us
> to define "exceptions" to the http smuggling processing? Or is that just
> turned off globally by the hotfix.
>
> Thanks again,
> Virgil
>
>
>
> "Jim Harrison (MSFT)" < XXXX@XXXXX.COM > wrote in message
> news: XXXX@XXXXX.COM ...
> > ** ACTION **
> > 1. Call PSS
> > 2. Tell them I sent you
> > 3. Ask for the fix for ISA SE 34978
> >
> > ** NOTE **
> > This fix is still undergoing internal testing. If you are not willing to
> > participate in this hotfix testing, then please wait for
> > the official fix.
> >
> > ** DISCUSSION (kinda involved, so you can skip it if you like) **
> > ISA responds to a request with "Error Code: 502 Proxy Error. The HTTP
> > request includes a non-supported header. Contact your ISA
> > Server administrator. (12156)".
> > The likely reason for the behavior you're seeing in this case is that new
> > logic that was added in ISA 2004 SP2 to mitigate HTTP
> > request smuggling. The process for this attack is a bit involved and a
> > whitepaper on the subject is available here:
> > https://www.watchfire.com/securearea/whitepapers.aspx
> >
> > RFC-2616 defines two headers; "content-length" and "transfer-encoding:
> > chunked" for the same purpose; that of providing quantitative
> > content validation for the receiver and states *very clearly* that the
> > server MUST NOT combine them in the same response. If the
> > server is configured such that it does violate this edict, RFC-2616 then
> > requires the receiving entity to ignore the content-length
> > value and instead use the chunked-encoding technique to validate the
> > length of the HTTP body. This places a processing burden on the
> > receiving entity (ISA, in this case), since a chunked-encoded transfer
> > can't be quantitatively validated until the transfer is
> > completed. In the case of a proxy, additional processing is imposed due to
> > caching behavior that may be dependent on content-size.
> >
> > The reason those sites are either failing outright (www.delta.com) or
> > rendering poorly (www.sun.com) is because we chose to reject
> > those responses entirely. Since RFC-2616 clearly states "don't combine
> > those headers" and doing so is a demonstrably malicious act,
> > it seemed unlikely that ISA would cause problems for any other than
> > malicious sites, and in fact, our testing validated this belief.
> > As it turns out, there are quite a few legitimate sites out there that
> > violate this part of RFC-2616 and so we have had to rethink
> > our answer to this problem.
> > --
> > --
> > Jim Harrison [ISA SE]
> > Read the help, books and articles!
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
> >
>
>
>

ello all,

I'm sorry ask that you please stop calling.
PSS isn't able to provide the private unless your case gets escalated up the support chain and the sheer volume of calls isn't
serviceable to that level right now. The fix for this issue will be released officially very soon and the announcement will be made
then.

Thanks for your patience...
--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.

"Jim Harrison [MSFT]" < XXXX@XXXXX.COM > wrote in message news: XXXX@XXXXX.COM ...
I guess it got lost in the dissertation, eh?

This fix will require only installation - there are no custom settings to
apply.

ISA will use the RFC-defined action; it will ignore the conteont-length
header and instead use the chunked data to perform quantitative validation.

--
Jim Harrison (ISA SE)
Read the help / books / articles / blogs!

This is posting is provided "as is" with no warranties, and confers no rights.


"ZVR" wrote:

Thanks, Jim! The explanation is much obliged! There are many RFC's
that aren't followed or are interpreted in a way I normally wouldn't
consider, but it is what it is. Thanks for the info and mya Microsoft
continue to be flexible in these instances :-). It is how Microsoft
came to be so big, I believe.

I will wait til it is officially released...and I hope it is soon :-).

Regards,

Patty

Jim,

Thanks for keeping us all updated on this problem/fix. You specifically
reference the delta.com issue below in the fix, but I have users with other
sites that return the same error, but error code 500. Will the HF repair
other sites?

site in question:
http://www.nationalgeographic.com

error:
"Error Code: 500 Internal Server Error. The HTTP request includes a
non-supported header. Contact your ISA Server administrator. (12156)"

Thanks again for all the updates. Looking forward to publication of new KB
article.





<snip>


<snip>

I keep referencing the www.delta.com site because that's been the most frequently mentioned.

You'll also find similar (but less clear) problems by accessing www.sun.com as well, except in this case, you get a seriously
trashed web page; missing references galore. The key to this issue is the error text "The HTTP request includes a non-supported
header". In this case, the server is responding with a combination of "content-length" and "transfer-encoding: chunked", which
RFC-2616 states "MUST NOT" and which ISA rejects.

I took a capture of www.nationalgeographic.com and yes - they're sending exactly the same thing, and yes - the hotfix will solve
your problem with that site.

Unless you're actively capturing packets on the ISA external interface for sites with do not produce the 500 or 502 error, you may
not recognize the problem for what it actually is (www.sun.com, for instance).


We were (obviously) very surprised to discover how many legitimate sites behave this way.

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.


Jim,

Thanks for keeping us all updated on this problem/fix. You specifically
reference the delta.com issue below in the fix, but I have users with other
sites that return the same error, but error code 500. Will the HF repair
other sites?

site in question:
http://www.nationalgeographic.com

error:
"Error Code: 500 Internal Server Error. The HTTP request includes a
non-supported header. Contact your ISA Server administrator. (12156)"

Thanks again for all the updates. Looking forward to publication of new KB
article.





<snip>


<snip>

"content-length" and "transfer-encoding: chunked", which

Where are thing things even set in the Webserver? I'm not an IIS expert but
I messed with it quite a bit and have never seen anywhere to set (or not
set) this to be this way? Is this just an Apache "thing",..since one
example is Sun, I'm sure they aren't using IIS?

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

It's more of an "application" type of thing, when web content is generated
programatically by some application in the background. It's at the
developer's mercy then to mix content headers like that.

Virgil

Ah!
I see.
Its those developers again.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

That means that the sites like Delta even have less of an excuse,..not only
did their guys do it,..but they had to do it on purpose. :-)

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

> Ah!

Of course. They say the same about us, you know <ggg>

Virgil

OK, moving back to the topic on hand here:

When will the hotfix be available on MU? I'm just not excited about
sitting on the phone for 6 hours trying to get this damn patch.

Yes.

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.


OK, moving back to the topic on hand here:

When will the hotfix be available on MU? I'm just not excited about
sitting on the phone for 6 hours trying to get this damn patch.