Yahoo Blocked

pdugas · 07-13-2011, 01:41 PM

Just FYI,

I had to disable the following stock rule in the Intrusion Prevention module after a user complained of being unable to access her Yahoo webmail. The URL she was using was http://us.mg2.mail.yahoo.com/dc/launch.

Category: web-php
Signature: tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Pajax arbitrary command execution attempt"; flow:established,to_server; content:"method"; nocase; pcre:"/\x22method\x22\s*\x3a\s*\x22[A-Z]\w*[^\x22]/smi"; reference:bugtraq,17519; reference:cve,2006-1551; reference:cve,2006-1789; classtype:web-application-attack; sid:8734; rev:1
Name: Name
SID: 8734
Block: x
Log: x
Description: Pajax arbitrary command execution attempt

Things worked once I unblocked that rule.

boyetece · 07-14-2011, 01:49 AM

Why is that so, maybe a false positive issue? Anyway, the problem is that if you migrated to yahoo plus, it wont have options going back to old version anymore as indicated by yahoo. As I've noticed in our office, one or two employee is frequently escalating this problem, that was one month ago if I remember.

trsnetpros · 07-14-2011, 07:11 PM

We have seen the same problem! Thank you for pointing me in the right direction. My wife is so much happier now that she can use her Yahoo! Mail again.

vantim · 07-17-2011, 05:44 AM

I was having the same problem after upgrading to the new Yahoo mail. Thank you Pdugas

sky-knight · 07-17-2011, 10:44 AM

This has been posted before. I believe DMorris indicated in a future release of Untangle that rule in the IDS module will be disabled because of the false positive potential.

In the meantime if you aren't ready to deal with the false positives that come from using the Intrusion Prevention module, I suggest you turn it off and remove it from the rack.

The change with 9.0 is that module actually works now! Before it really didn't do much.

orange · 07-18-2011, 07:58 AM

This has been driving me crazy! Ty so much for sharing the solution! If anyone has trouble finding it just search by "ID" and look for 8734 its on page 93 or 94

AdamB · 07-21-2011, 07:53 AM

Hit this issue this morning, no biggie though just disabled the block and only logging.

sky-knight · 07-21-2011, 07:59 AM

http://forums.untangle.com/intrusion...ntuit-com.html

Just for reference in case someone else runs into this issue with Intuit.com's store. This link has another rule in it that causes their store to return a white page in Firefox, a 404 in IE randomly at different points in the purchasing process.

steoank · 09-22-2011, 06:31 AM

Had the same issue with yahoo with rule 8734. This also fixed access to the site grooveshark.com.

miclog · 10-04-2011, 08:45 AM

I have one person that can't login to Yahoo Instant Messenger but others can. Turning off 8734 did not help. I am on the Lite version. The user can use IM with Spyware, Filter, Intrusion, Protocol and Attack panels on but Spam, Phish and Virus must be off. Any ideas?

07-13-2011, 01:41 PM	#1 (permalink)
pdugas Newbie Join Date: Mar 2008 Location: Canton, GA, USA Posts: 10	Yahoo Blocked Just FYI, I had to disable the following stock rule in the Intrusion Prevention module after a user complained of being unable to access her Yahoo webmail. The URL she was using was http://us.mg2.mail.yahoo.com/dc/launch. Category: web-php Signature: tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Pajax arbitrary command execution attempt"; flow:established,to_server; content:"method"; nocase; pcre:"/\x22method\x22\s\x3a\s\x22[A-Z]\w*[^\x22]/smi"; reference:bugtraq,17519; reference:cve,2006-1551; reference:cve,2006-1789; classtype:web-application-attack; sid:8734; rev:1 Name: Name SID: 8734 Block: x Log: x Description: Pajax arbitrary command execution attempt Things worked once I unblocked that rule.

07-17-2011, 05:44 AM	#4 (permalink)
vantim Untanglit Join Date: Jun 2010 Location: Concord Ohio Posts: 16	I was having the same problem after upgrading to the new Yahoo mail. Thank you Pdugas __________________ __________________________________________________ ________ "Hardware, n.: The parts of a computer system that can be kicked." "BUG, n.: An undesirable, poorly-understood undocumented feature." Last edited by vantim; 07-17-2011 at 05:58 AM..

07-17-2011, 10:44 AM	#5 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,457	This has been posted before. I believe DMorris indicated in a future release of Untangle that rule in the IDS module will be disabled because of the false positive potential. In the meantime if you aren't ready to deal with the false positives that come from using the Intrusion Prevention module, I suggest you turn it off and remove it from the rack. The change with 9.0 is that module actually works now! Before it really didn't do much. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

07-21-2011, 07:59 AM	#8 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,457	http://forums.untangle.com/intrusion...ntuit-com.html Just for reference in case someone else runs into this issue with Intuit.com's store. This link has another rule in it that causes their store to return a white page in Firefox, a 404 in IE randomly at different points in the purchasing process. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

10-04-2011, 08:45 AM	#10 (permalink)
miclog Newbie Join Date: Sep 2011 Posts: 6	I have one person that can't login to Yahoo Instant Messenger but others can. Turning off 8734 did not help. I am on the Lite version. The user can use IM with Spyware, Filter, Intrusion, Protocol and Attack panels on but Spam, Phish and Virus must be off. Any ideas? Last edited by miclog; 10-04-2011 at 10:04 AM..

Protect

Filter

Perform

Connect

Manage

Add-Ons

07-14-2011, 01:49 AM	#2 (permalink)
boyetece Newbie Join Date: Jul 2011 Posts: 1	Why is that so, maybe a false positive issue? Anyway, the problem is that if you migrated to yahoo plus, it wont have options going back to old version anymore as indicated by yahoo. As I've noticed in our office, one or two employee is frequently escalating this problem, that was one month ago if I remember.

07-14-2011, 07:11 PM	#3 (permalink)
trsnetpros Newbie Join Date: Apr 2009 Posts: 5	We have seen the same problem! Thank you for pointing me in the right direction. My wife is so much happier now that she can use her Yahoo! Mail again.

07-18-2011, 07:58 AM	#6 (permalink)
orange Untangler Join Date: Oct 2008 Posts: 84	This has been driving me crazy! Ty so much for sharing the solution! If anyone has trouble finding it just search by "ID" and look for 8734 its on page 93 or 94

07-21-2011, 07:53 AM	#7 (permalink)
AdamB Master Untangler Join Date: Mar 2011 Location: Auburn, NY Posts: 256	Hit this issue this morning, no biggie though just disabled the block and only logging.

09-22-2011, 06:31 AM	#9 (permalink)
steoank Newbie Join Date: Jul 2011 Posts: 13	Had the same issue with yahoo with rule 8734. This also fixed access to the site grooveshark.com.