Microsoft Issues Ominous ASP.Net Security Warning

Forum Moderators: open

Message Too Old, No Replies

Microsoft Issues Ominous ASP.Net Security Warning

atalmadge

7:31 pm on Oct 7, 2004 (gmt 0)

From the Slashdot post:
A security flaw in Microsoft's ASP.NET apparently allows access to password-protected areas just by altering a URL. There's no patch yet, but in the meantime Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits. About 2.9 million web sites run on ASP.NET according to Netcraft.

encyclo

8:30 pm on Oct 7, 2004 (gmt 0)

Welcome to WebmasterWorld [webmasterworld.com], atalmadge. A little hint: you might want to try writing your own posts rather than doing a copy/paste from Slashdot (which is hardly an unbiased news source at the best of times)...

The description is misleading in the extreme too. Try this:

<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
 if (Request.Path.IndexOf('\\') >= 0 ŚŚ
 System.IO.Path.GetFullPath(Request.PhysicalPath)!= Request.PhysicalPath) {
 throw new HttpException(404, "not found");
 }
}
</script>

Add above to Global.asax. Fixed. Panic over. So, no patch available? It sure looks like a patch to me...

plumsauce

4:09 am on Oct 8, 2004 (gmt 0)

Or, as I suggested to MS, as well as posting at /. and WHT, configure URLSCAN to drop requests containing the backslash. Problem solved. As a matter of fact, I think that was the default config for URLSCAN.

The urlscan.ini snippet can be found in either thread.