Important Information About an ASP.NET Vulnerability

Important Information About an ASP.NET Vulnerability

by John Peterson

Microsoft has released a patch that is meant to help protect against a reported vulnerability in ASP.NET. It's recommended that ASP.NET users either install the patch or implement the previously-published workaround to prevent unauthorized Web site visitors from viewing secured content.

From Microsoft:

Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET. Reports have indicated that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Our initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components.

Microsoft strongly advises, as a preventative measure, that all Web content owners and administrators who are running any version of ASP.NET immediately read and implement one of the suggestions made in the Microsoft Knowledge Base articles listed on this page.

With the release of this patch, there are currently two different fixes available: a workaround and the patch.

The workaround consists of code that, while quite simple, needs to be added to every application's Global.asax file. This can be troublesome to implement and does not prevent the problem in future applications. Therefore, unless you have a specific reason to choose the workaround route, I'd recommend using the patch.

The patch is available as a free download from Microsoft's site. It's basically just an HTTP module called ValidatePath which is distributed as an .msi package. It installs quickly and easily without requiring a reboot or web server restart and I've yet to hear of anyone having any problems with it.

You can find more information about the vulnerability and the different approaches to eliminating it from the links below:

Links

  • What You Should Know About a Reported Vulnerability in Microsoft ASP.NET
  • HTTP Module to Check for Canonicalization Issues with ASP.NET - More info on the patch.
  • How to Programmatically Test for Canonicalization Issues with ASP.NET - More info on the workaround.
Close    To Top
  • Prev Article-Web Design:
  • Next Article-Web Design:
    • Now: Tutorial for Web and Software Design > Web Design > ASP > Web Design Content
    Photoshop Tutorial
     

    Special Effect
      3D Effect
      Photoshop Articles
    Programming Tutorial
     

    C/C++ Tutorial

      Visual Basic
      C# Tutorial
    Database Tutorial
     

    MySQL Tutorial

      MS SQL Tutorial
      Oracle Tutorial
    Geek Tutorial
     

    Blogging Tutorial

      RSS Tutorial
      Podcasting Tutorial
    Graphic Design Tutorial
      Coreldraw Tutorial
      Illustrator Tutorial
      3D Tutorials
    Webmaster Articles
     

    Domain Service

      Web Hosting
      Site Promotion
    Java Tutorial/ Articles
     

    Java Servlets

      JavaEE Tutorial
     

    JavaBeans Tutorial

    XML Tutorial/ Articles
     

    XML Style

      AJAX Tutorial
      XML Mobile
    Flash Tutorial/ Articles
     

    Flash Video

      Action Script
      Flash Articles
    OS Tutorial/ Articles
      Linux Tutorial
      Symbian Tutorial
      MacOS Tutorial
    Personal Tech
      Hardware Tutorial
      Software Tutorial
      Online Auction