Friday, October 08, 2004 3:03 AM bart

Possible ASP.NET vulnerability - more info on TechNet

Please check out this article asap: http://www.microsoft.com/security/incident/aspnet.mspx. The vulnerability can have to do with a canonicalization issue in the ASP.NET runtime that causes forms authentication to fail (or better, an attacker can bypass the forms authentication).

As a first countermeasure, Microsoft has released an HTTP Module that checks for canonicalization issues with ASP.NET on http://support.microsoft.com/?kbid=887289. The included installer will update the machine.config file and register the module in the GAC so that all sites are protected. As the vulnerability is still under investigation, please follow up this issue since the posted fix only addresses canonicalization issues known at this moment.

Extract from the TechNet page:

Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET. Reports have indicated that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Our initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components.

Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks

Filed under:

Comments

No Comments