This post originated from an RSS feed registered with .NET Buzz
by Scott Hanselman.
Original Post: ASP.NET Security Vulnerability
Feed Title: Scott Hanselman's ComputerZen.com
Feed URL: http://radio-weblogs.com/0106747/rss.xml
Feed Description: Scott Hanselman's ComputerZen.com is a .NET/WebServices/XML Weblog. I offer details of obscurities (internals of ASP.NET, WebServices, XML, etc) and best practices from real world scenarios.
This has been blogged about over and over. This is another case where if you
had UrlScan or any decent security url filter installed on your box, you'd be
fine. Certainly it's a problem in ASP.NET, and Microsoft has an HttpModule to
fix it. This means you can install this once and get the fix on all your systems,
rather than adding it in the BeginRequest of the Global.asax.cs.
One interesting note, if you're confirming the user's Security Principal and Identity
(WindowsPrincipal, FormsIdentity) via code, or are using a custom Principal (as I
do as a best practice) your code will catch this problem even if ASP.NET Form's Authentication's
1) Updated http://www.microsoft.com/security/incident/aspnet.mspx with
new information about the reported vulnerability. This should help clear up
some of the confusion we've seen about what is affected by this. To be super
clear, all ASP.NET applications, on ALL OS's should follow the guidance provided.