Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Communications Microsoft

MSN Censors Your IM 287

Jamie ran across a story about censorship on MSN. Essentially, a number of suspicious strings result in silent failure of delivery. The strings are unsurprisingly things like .scr and .info. They've started maintaining a list if you're interested. Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.
This discussion has been archived. No new comments can be posted.

MSN Censors Your IM

Comments Filter:
  • by KingSkippus ( 799657 ) * on Sunday August 05, 2007 @09:07AM (#20120937) Homepage Journal

    From an article that is linked to from this one:

    The link filter does not take canonical URLs into account: http: //evil.example.com/download.php and http: //evil.example.com/down%6Coad.php is the same URL, expressed in two different ways. The first one is blocked, while the second one is not.

    Or for that matter, http: //tinyurl.com/z35a5.

    Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm.

    It's also probably worth noting that the messages are blocked on the server, not the client. That means that it will block the message whether you're using the MSN client, Pidgin, or any other client to access MSN.

    My advice: Get a frickin' Google mail account already and use Google Talk [google.com] instead.

    • by lattyware ( 934246 ) <gareth@lattyware.co.uk> on Sunday August 05, 2007 @09:12AM (#20120987) Homepage Journal
      Or just any Jabber client, for that matter.
    • squashed?

      And what does every Linux web server come with?

      RIGHT...
      • by jZnat ( 793348 ) *
        Every Linux web server comes with Perl also...

        Anyhow, I think it's because script kiddies tend to use (or exploit) PHP applications more often than other scripting languages due to its high availability in cheap hosting environments.
        • by DrSkwid ( 118965 )
          Also the php files are in the document_root directory (or whatever you want to call it). Write access to document_root should be off but it usually isn't.

          Perl and other CGI stuff is usually script aliased out of document_root and run from there /www/public_html # document root /www/public_html/index.php # shitty PHP script /www/cgi-bin /www/cgi-bin/dirty_perl.pl # Long tooth Larry's stuff

          And pl files also need chmod +x ing whereas php files will just run.

          Those crazy "easy to set up" routes get you ow
          • Re: (Score:3, Insightful)

            by Lillesvin ( 797939 )

            Also the php files are in the document_root directory (or whatever you want to call it).

            Yeah, on the server - then they could exploit the server hosting them... Why on earth would MS care about that? They're doing the filtering to protect the end-users from exploits of vulnerabilities in the MSN client. It doesn't matter the least bit if it's PHP, Perl, Ruby, ASP or whatever that runs on the server-side - it's what is returned from the server-side that matters. I'll have to agree with the guy guessing th

      • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Sunday August 05, 2007 @10:29AM (#20121671) Homepage Journal

        And what does every Linux web server come with?

        Perl.

        Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation [apache.org]:

        • With Options MultiViews, the client requests /download?foo=bar. Apache HTTP Server will look for a file called download, not find it, and then search for download.* and run the first thing it finds.
        • Type-mapped negotiation in Apache works much the same way, except it uses .var files (similar to Windows shortcuts) that point to your script. For instance, /download?foo=bar would reference /download.var, which points to /download.php. It's useful if you have a lot of small requests, for which the repeated directory scans performed by MultiViews might become CPU-bound.
        • Rename download.php to download/index.php, and Apache will find it when it scans index.* to display a default page for a directory.
        • Last but not least, mod_rewrite.
        • by Zonk (troll) ( 1026140 ) on Sunday August 05, 2007 @11:13AM (#20122151)
          Or, do it the way I do.

          1. Name the PHP file "download".
          2. Use this option either in httpd.conf or .htaccess:

          <Files /path/to/file/download>
          SetHandler application/x-httpd-php
          </Files>

          3. Access it like:
          http://localhost/download or accept arguments like http://localhost/download/file.odt

          If you want to get what comes after the slash, this is all you need:

          $thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI']));


          file.odt would be located in $thePath[1].
        • Re: (Score:3, Interesting)

          Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation [apache.org]:

          Another option is to use the AddType directive to have other file extensions run through the PHP interpreter. If you don't have any static pages on your site or can accept the minor performance hit, you can send all .html files through PHP.

    • And simply renaming worked? Your IT department is pretty inept.
      • by lattyware ( 934246 ) <gareth@lattyware.co.uk> on Sunday August 05, 2007 @09:18AM (#20121037) Homepage Journal
        An inept IT department?
        OMFG!
        Someone alert the world press!
    • I've about had it with Google's spying, Microsoft's spying/interference, Yahoo's spying, and pretty much everything and everyone else that is working to profile ad nauseum.
    • by ChowRiit ( 939581 ) on Sunday August 05, 2007 @10:40AM (#20121781)
      People always miss the point in these arguments, and say "get such and such instead" - it doesn't help, because my friends use MSN, and probably the same for most tech savvy MSN users. Sure, I'd rather use a better protocol, but I'm stuck using what my friends are on. This is the problem with "picking" an IM - the decision isn't made by you, but by the people you want to talk to who already have picked one.
      • This is why I have accounts all over the place on my Kopete -- there are people that I actually want/need to talk to occasionally who are on various other networks, everything from MSN to Yahoo. It's actually no more work for me to set those up and maintain them than it is to run Jabber.

        But I also used to have a Jabber server. (Or I used to, and I will again when I get around to setting it up again.) I tell most people to just download Google Talk, though. That's the thing -- Jabber is trying to take IM whe
      • Re: (Score:3, Insightful)

        by Alchemar ( 720449 )
        I had the same problem.... I picked better friends.

        Anyone that I have any relation with knows that I will not contact them via MSN, AIM, My Space, Live Journal or any of their like. If they wish to communicate they can call me on the phone or send an email. If they push the point, I suggest that they learn to use IRC or obtain a HAM radio license with a morse code rating, and I will gladly send them an instant message. Most have selected the telephone as their main choise, but one now holds a General c
    • The Solution! (Score:5, Insightful)

      by causality ( 777677 ) on Sunday August 05, 2007 @12:46PM (#20123141)
      The solution?

      Apply some idea of "common carrier" status to MSN. Like the telephone companies, as long as they do not attempt to edit or censor the content that passes through their networks, in any way, then they are not responsible and cannot be held liable for any damage caused by such content. But the moment they start taking measures like this to try to "sanitize" the content of the network, make them legally liable to pay damages for any successful attack/exploit that they are unable to prevent.

      Overnight, this stupidity would go away. It would also set a great precedent for any other companies that wish to do this.
    • by Geekbot ( 641878 )
      Just watch out that they aren't using other software to monitor processes. You can change the filename to bypass the restrictions but there could be process monitoring software that would inform them that you are bypassing security measures. I doubt anyone cares *that* much, but CYA.
    • My advice: Get a frickin' Google mail account already and use Google Talk [google.com] instead.

      Sage advice, for a person with no friends. (Then again, if you have no friends, why would you use IM in the first place?)

      "Switching" to GoogleTalk is easy; convincing the 40+ people on my list to all "switch" to GoogleTalk is less easy. Saying that they need to "switch" to GoogleTalk to talk to me will most likely result in them not talking to me. (So I guess I'm not as popular as I though!)

      Of couse I put "switch"
  • by Aladrin ( 926209 ) on Sunday August 05, 2007 @09:10AM (#20120965)
    "Nothing for you to see here. Please move along."

    I'm guessing they're using that as a way to make sure only subscribers can get first post now? It wouldn't load for me until someone had posted.

    As for the IM... I don't care what it is, it's not their job to censor it. Virus check attachments, sure... But not sensor the chat. Absolutely ridiculous. Reminds me of games that try to filter out all 'bad' words and end up filtering out words like 'fanny' because they mean 'butt' in the US and apparently refer to women's genitalia in the UK. How people NAMED Fanny deal with that, I can't imagine. There were quite a few more commonplace words that mean odd things in other languages or countries and were filtered as well. Ridiculous.
    • by KingSkippus ( 799657 ) * on Sunday August 05, 2007 @09:31AM (#20121167) Homepage Journal

      Reminds me of games that try to filter out all 'bad' words

      I play City of Heroes, and for some weird reason, it blocks the word "count." I think it was a typo when someone was entering words to block into the filter. It was just kind of funny, because I discovered it when I told someone, "Don't worry, you can count on me!" and it came out as "Don't worry, you can <bleep!> on me!" They had no idea what I was talking about, and it took a few entertaining minutes to hash out what was going on.

      • I remember on the Microsoft-run zone.com (a game site), the filter is also extremely harsh. They extended it to innocent topics that happen to get used for trolling a lot. (Don't ask how I know...) For example, you can't say "holocaust", apparently because people like to deny it, and you can't say any form of "racist".
      • by gbjbaanb ( 229885 ) on Sunday August 05, 2007 @09:53AM (#20121335)
        Ah, the northern Uk town of Scunthorpe has been affected by this problem for some time now. I think a "Scun" must be a rude word in American English or something.
        • by jZnat ( 793348 ) *
          And you usually can't say "sniggers". What are you supposed to use? "Snickers"? That's a candy, not a verb that means "laughing".
        • Similar things happen to people who live in Coon Rapids, which is the name of a real town in Minnesota.
        • by glitch23 ( 557124 ) on Sunday August 05, 2007 @05:51PM (#20125455)

          Ah, the northern Uk town of Scunthorpe has been affected by this problem for some time now. I think a "Scun" must be a rude word in American English or something.

          No, it's "Thor". We don't like Scandinavians.

      • by Buran ( 150348 )
        You can turn off the profanity filter. Go to Menu > Options and I think it is in the leftmost tab of the options window. Then you should no longer see this. But it's a per-user setting and is done on the receiving end so if your recipient has the filter on still they will see the censored word.

        Why it thinks "count" is a swear word, I've got no idea, but turning off the nanny filter remains one of the first things I do when setting up a new character (I seem to remember that the filter is, like the UI col
    • How people NAMED Fanny deal with that, I can't imagine.
      As far as I can tell, they revert to their legal given name Frances. But then how do people discuss mortgages [wikipedia.org] or chocolates [wikipedia.org] without "Fannie"?
    • by mpe ( 36238 )
      Reminds me of games that try to filter out all 'bad' words and end up filtering out words like 'fanny' because they mean 'butt' in the US and apparently refer to women's genitalia in the UK. How people NAMED Fanny deal with that, I can't imagine.

      Even more difficult if they are called "Fanny Babcock". IIRC Someone actually compiled a webpage entitled "Smut which only a machine could identify".
    • I play an MMO which has a reasonable language filter, or as reasonable as it can be. Rather than bleeping stuff, it simply substitutes the "bad" word for an "equivalent". It also makes for some rather hilarious conversations, once they decided that in most cases, you were allowed to swear so long as you didn't attempt to bypass the language filter.

      It doesn't catch everything, as it doesn't look at the boundries of words, so that you can't get around "fuck" by saying "fucker" or "fucking".

      Here's a short list
  • I already knew some (Score:4, Interesting)

    by alx5000 ( 896642 ) <alx5000&alx5000,net> on Sunday August 05, 2007 @09:22AM (#20121083) Homepage
    Since the day I became almost crazy when I was trying to pass a URL which included 'download.php?' to a friend from a well trusted website. All of my messages sent back to me. PITA.

    Fortunately, it's kinda easily fooled if you randomly place a space and add "delete the space" at the end of the sentence. If they trust me in the first place, what prevents them from copy-pasting it and deleting a character as I requested?
    • It's not even a matter of trust, some people will follow instructions without asking why they are doing this. So your trick could be used to spam people and you'll get a lot of people that will do what you ask. It's even easier if you can tell people that the link goes somewhere that they might want to go, like cheap software, porn, cheap medicine, etc.
  • by noidentity ( 188756 ) on Sunday August 05, 2007 @09:23AM (#20121105)
    This isn't censorship; it's just a poor firewall. The difference is that the former is for stifling human communication, while the latter is to protect machines from malicious software.
  • by Fastolfe ( 1470 ) on Sunday August 05, 2007 @09:30AM (#20121145)

    Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

    Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM? Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects? If it's going to take X weeks to fix the bug, but Y days to implement a filter that will stop some large percentage of infections, don't you think that both avenues are worth exploration at the same time? There's more to slowing and preventing the spread of malware than fixing the defect that allows them to propagate.

    This also assumes that the same organization even owns the bug in question. Not all of these defects may be Microsoft's problem to begin with. This might even be a MORE reasonable action for them to take, since they're doing "everything in their power" to fight the problem rather than just sitting on their hands waiting for a 3rd-party to correct their bug, and sitting on their hands longer waiting for the end user to update their software.

    • Re: (Score:3, Interesting)

      by RAMMS+EIN ( 578166 )
      ``Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM?''

      Yes.

      ``Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects?''

      That sounds almost reasonable. Except that it implies that Microsoft actually makes a serious effort to fix the security holes they've saddled their users with. I had some hopes that, with Vista, they had actually started down that road, but these hopes have since been thoroughl
    • by SeaFox ( 739806 )

      Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM?

      Is this a joke question? We're talking about Microsoft, the company that leaves security holes in their products for months on end while churning more DRM into it.
  • .INFO (Score:4, Insightful)

    by tverbeek ( 457094 ) on Sunday August 05, 2007 @09:37AM (#20121203) Homepage
    I don't suppose it's occurred to Microsoft that .info is a perfectly valid TLD used by a significant number of legitimate web sites, and a perfectly appropriate string to include in an IM discussion.
    • by SRA8 ( 859587 )
      Ah...no wonder these .info domains sell so cheap...!
    • I don't suppose it's occurred to Microsoft that PHP is a perfectly valid scripting language used by a significant number of... No, of course they wouldn't. To Microsoft, real websites use ASP.NET...

      I mean, I frequently send links to specific webcomics [questionablecontent.net] to people I know on IM, but most of the people I know are on Yahoo or something better.
  • .com (Score:2, Funny)

    by Anonymous Coward
    Do they block those scary executable .com files too?
  • by jez9999 ( 618189 ) on Sunday August 05, 2007 @09:38AM (#20121223) Homepage Journal
    Here's one it started doing since the recent MS security drive. Any file that could possibly exploit a hole in any piece of software seems to be treated with serious suspicion. Somehow, this seems to include GIF files. So, when someone tried to send me a GIF file, I get this warning [game-point.net]. I download it anyway, and it's sitting on my hard drive. I can copy it somewhere else, open it, etc.

    However - and this is the kicker - when I click on the blue link to the file in the MSN chat window, I get this dialog [game-point.net]. Yeah, it actually DELETED the file I just downloaded. After I copied it using Explorer. And I have full access to it. Dunno who implemented that piece of genius.
    • Re: (Score:3, Insightful)

      by gardyloo ( 512791 )
      Yep, that's astoundingly annoying. IIRC, you can do a "Save To..." instead of allowing MSN to choose where to save it. Then it doesn't get deleted.
    • My MSN Messenger currently thinks that all MP3-files should be treated that way.. Quite ingenious the first time someone sent me some music they've made and voilá, all gone after the transfer (because we all know how fast MSN Messenger is at sending files)..

      This issue was brought to my attention a while back when they blocked _all_ links containing download.php. Yep. Not sure if they still do that, tho.
    • The file isn't deleted until you press the "OK" button, so when you see that awful message you still have time to open explorer and copy/move the file.
      I'll leave the subject of how unbelievably retarded the whole thing is to others.
  • ...as a web developer I need to find a new IM service? Great move. :P
  • And if they didnt (Score:2, Insightful)

    by nurb432 ( 527695 )
    The first person that got infected wiht something would bitch that Microsoft didn't do enough.

    Not that im fond of them either, but it seems they cant win either way these days.
  • by Deathlizard ( 115856 ) on Sunday August 05, 2007 @10:01AM (#20121401) Homepage Journal
    Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place

    At least their trying something (albeit a weak approach) to stop automated scripts from sending viruses all over their chat protocol.

    When you work on 1000+ college student laptops, you learn a lot of things about software students use in general, and one of these things you learn is:

    1) AIM is a Virus downloading service disguised as a chat protocol.

    I know that AOL doesn't do this on purpose, but it is so easy to hack that it might as well be. it's great when a 12 year old downloads a virus that infects Aim thinking it was some game (probably from AIM i might add), it sends "Hey check this out!" to his sister at the college containing an infected link or program, and the next thing you know you're running Aimfix and cleaning Zlob off on 300 PC's.

    If Aim would simply filter out the bad traffic (and they should be able to know if a client is spamming the servers like crazy by heuristics alone) it would stop a lot of scams dead in their tracks.
  • Old news! (Score:4, Informative)

    by Stormx2 ( 1003260 ) on Sunday August 05, 2007 @10:04AM (#20121423)
    This has been known about for years. Here's a digg posting [digg.com] from over a year ago...
  • It's probable that they're seeing a lot of automated traffic with these URLs. They know for sure that these are malicious networks and they're spreading on their IM client. Maybe they already patched the vulnerabilities, but these are people who have (apparently) not set auto update to work. Maybe they plan to fix it in the next roll-up but need a stopgap in the meantime. It's not hard to imagine an ethical scenario where you pretty much have to block that traffic. Now the question becomes how. I'm not sure
  • by MysticOne ( 142751 ) on Sunday August 05, 2007 @10:17AM (#20121543) Homepage
    You can set up your own server, you can control your own IM stuffs, and really ... it's just a better solution. You could still go with GTalk if you want access to the Jabber network without setting up a server or doing anything fancy, but in that case I'd recommend encryption for your conversations (you should probably do that anyway). If you just want to set up a new Jabber account on one of the public servers, head on over to jabber.org [jabber.org] and pick one out.
  • by hey ( 83763 )
    I wonder if MSN also spies on users. Do they have keywords in place to log messages related to possibly competing products, etc?
  • by arcade ( 16638 ) on Sunday August 05, 2007 @10:40AM (#20121783) Homepage
    Anyone who knows me knows that I haven't used windows since 1999. I simply can't stand the system, nor can I stand the corporation behind it.

    However. I'm also interested in computer security.

    It _MAKES SENSE_ to block stuff that has been observed in automated worms. It's a simple solution. It's not something that will make all systems invulnerable - but it _MAKES SENSE_. It's a quickfix. A quickfix that works.

    This is only "censorship" insofar that it actually prevents stupid automated worms to spread. It's a defensie measure. Not a perfect one, but one.

    Oh, and patching the holes. Sure. You can patch the holes. Then everyone has to update .. should we try to protect, or should we ignore those that do not upgrade their systems? The cynic in me tells me : "Let them be cracked". The humanitarian in my tells me: "Well, think of the victims of the DDOS attacks from the botnets of previously-vulnerable people".

    I'm dead tired of _idiots_ who thinks that any preventative measure is evil! censorship! bad!

    Microsoft is simply trying to help in this case. If you do not like it, use another IM service. Like Yahoo! .. or IRC for that matter. Heck. PLEASE go back to IRC. It's still the best means of communication there is.

    So, please you censorship-screaming morons:

    SHUT UP! STOP USING THEIR SERVICE IF YOU DO NOT LIKE IT. THEY ARE TRYING TO DO THE RIGHT THING IN THIS INSTANCE !

    *phew*. Now I have to go wash my brain. I've just defended satan.
    • Generally speaking, I agree with you. Unfortunately, as has been demonstrated in the article, the filtering can be avoided by countless methods of obfuscation. Thus, it's not really accomplishing anything at all.
      • It's accomplishing a fair amount by blocking some of the main MSN worms. If the messages of existing worms which contain specific phrases are blocked, then that stops in one move those existing worms from spreading in their current form. This is a good thing, if annoying if you have to send a legit URL...
    • perhaps you should consider exactly why it is that you think IRC is the best means of communication. Seriously? You think IRC is the best means of communication? No wonder I have so much trouble communicating with someone by going up them and talking to them in person. I should try using IRC next time. Communication always works so much better when there's no pesky voice inflections or body language to deal with, and when there's things like network lag or netsplits. I find I always get my point acros
    • It _MAKES SENSE_ to block stuff that has been observed in automated worms. It's a simple solution. It's not something that will make all systems invulnerable - but it _MAKES SENSE_. It's a quickfix. A quickfix that works.

      That's just the problem - too many "quickfixes" and not enough inherent security that was part of the design from day one.

      Oh, and patching the holes. Sure. You can patch the holes. Then everyone has to update .. should we try to protect, or should we ignore those that do not upgrade

  • Fix what? (Score:5, Insightful)

    by defile ( 1059 ) on Sunday August 05, 2007 @10:42AM (#20121797) Homepage Journal

    Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

    Someone want to tell me how you fix a user who downloads and runs untrusted executable code?

    I've seen plenty of Linux n00bs get tricked into running rm -rf /. Or lynx -source example.com | sh

    MSN implementing filters on certain strings is just a small measure in a huge arms race any major IM system has to deal with.

    PS. You can save yourself the trouble of replying if you're going to tell me Linux only allows the user to destroy all of his files and not the entire OS.

  • This isn't at all new. A few friends and I discovered at least one of these independently over a year ago, and we then found it was a known but little publicised situation before that.
  • Vulnerabilities (Score:3, Insightful)

    by TopSpin ( 753 ) * on Sunday August 05, 2007 @12:25PM (#20122917) Journal

    I'd rather they fix the vulnerabilities
    How would you detect the idiocy level of the recipient? If you spam a thousand accounts with "OMG check this http://somedomain/hot-teen-s3x.scr [somedomain]" you just know some fraction of the audience will dutifully follow the link and then dismiss every prompt that appears trying to prevent installation.

    Worse, after they get their own machine hacked, they'll blame MSN. They'll contact whatever 'customer service' facility is provided and scream bloody murder. If they manage to get fired as a result they may even sue. Don't doubt that there are employers capable of getting litigious with MSN over it, also.

    Sadly, this is the reality of operating an IM/Email/SMS service [ubergoth.net] today. Look carefully at that graphic realize that it is not an exaggeration.

    • by grcumb ( 781340 )

      I'd rather they fix the vulnerabilities

      How would you detect the idiocy level of the recipient? If you spam a thousand accounts with "OMG check this http://somedomain/hot-teen-s3x.scr [somedomain]" you just know some fraction of the audience will dutifully follow the link and then dismiss every prompt that appears trying to prevent installation.

      You know, I think you've got a point - in theory. In practice, however, stupid users tricks just don't have the same catastrophic effect in Linux or OSX. You can point to all kinds of technical details that make it way, but ultimately, you just have to accept that Windows is the least secure desktop environment in wide use today.

      Worse, after they get their own machine hacked, they'll blame MSN.

      Horse hockey. If people blamed the manufacturer for virus infections, Microsoft would be awash in a sea of litigation. I'll take things one step further and assert that one of

  • joe | optimism is just another word for false hope says: (18:57:18)
    http://yro.slashdot.org/article.pl?sid=07/08/05/13 11216 [slashdot.org]
    joe | optimism is just another word for false hope says: (18:57:25)
    I am now going to disprove this article
    joe | optimism is just another word for false hope says: (18:57:27)
    *ahem*
    joe | optimism is just another word for false hope says: (18:57:52)
    Microsoft suck massive donkey cocks. I really, really hope someone kicks Steve Ballmer right in the fucking head, preferably with a steel toed
  • I made the choice of using ".info" for my DSL server. I know a college that bounced email if it has ".info" in the BODY of the email.
  • So you're saying MSN is bad? Gosh, I had no idea! Quick, let's all switch!

    Hey, I just heard there are all these open standards that you can use to chat with one another! You won't be dependent on the goodwill of a single company, you needn't worry about peolpe sniffing your messages, and there are lots of other advantages, too!

    Guys? Gals? Why is nobody coming with me...?
  • * .info
    * profile.php? (including '?')
    * download.php? (including '?')
    * gallery.php
    * pics.php
    * ListAllTopics.php
    * .scr (source)

    Where are the .asp filters? Or is windows mostly vulnerable to php?

Technology is dominated by those who manage what they do not understand.

Working...