The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

.NET Buzz Forum
ASP.NET Security Vulnerability

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Scott Hanselman

Posts: 1031
Nickname: glucopilot
Registered: Aug, 2003

Scott Hanselman is the Chief Architect at Corillian Corporation and the Microsoft RD for Oregon.
ASP.NET Security Vulnerability Posted: Oct 8, 2004 3:58 AM
Reply to this message Reply

This post originated from an RSS feed registered with .NET Buzz by Scott Hanselman.
Original Post: ASP.NET Security Vulnerability
Feed Title: Scott Hanselman's ComputerZen.com
Feed URL: http://radio-weblogs.com/0106747/rss.xml
Feed Description: Scott Hanselman's ComputerZen.com is a .NET/WebServices/XML Weblog. I offer details of obscurities (internals of ASP.NET, WebServices, XML, etc) and best practices from real world scenarios. 		Latest .NET Buzz Posts
Latest .NET Buzz Posts by Scott Hanselman
Latest Posts From Scott Hanselman's ComputerZen.com

Advertisement

This has been blogged about over and over.  This is another case where if you had UrlScan or any decent security url filter installed on your box, you'd be fine.  Certainly it's a problem in ASP.NET, and Microsoft has an HttpModule to fix it.  This means you can install this once and get the fix on all your systems, rather than adding it in the BeginRequest of the Global.asax.cs.

One interesting note, if you're confirming the user's Security Principal and Identity (WindowsPrincipal, FormsIdentity) via code, or are using a custom Principal (as I do as a best practice) your code will catch this problem even if ASP.NET Form's Authentication's AuthorizationModule didn't.

1) Updated http://www.microsoft.com/security/incident/aspnet.mspx with new information about the reported vulnerability.  This should help clear up some of the confusion we've seen about what is affected by this.  To be super clear, all ASP.NET applications, on ALL OS's should follow the guidance provided.

2) A new HTTP Module mitigation best practice.  This is in the form of an MSI installer that will help protect all ASP.NET applications on a Web server.  This MSI installer will place a binary into the GAC and update the machine.config file for ASP.NET.  You can find download information at http://www.microsoft.com/downloads/details.aspx?FamilyID=da77b852-dfa0-4631-aaf9-8bcc6c743026&displaylang=en

You can also download the MSI directly at http://download.microsoft.com/download/4/6/1/461433d5-cbac-4721-85cb-c5a514fd0049/VPModule.msi

3) Detailed guidance about the HTTP Module, how the MSI works, and how to deploy it.  You can find this KB Article at http://support.microsoft.com/?kbid=887289

 

Read: ASP.NET Security Vulnerability

Topic: Code Camp II Schedules Up! Previous Topic   Next Topic Topic: ASP.NET Security Hole
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use