Wednesday, March 16, 2005

ASP.NET Vulnerability

This is today's HOT NEWS for ASP.NET developers!

There is a report on ASP.NET vulnerability and Microsoft is currently investigating on this issue. The issue is that ASP.NET is failing to perform proper canonicalization of some URLs.

This issue affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003.

To know more about this issue and recommended guidance on best practices visit

http://www.microsoft.com/security/incident/aspnet.mspx
Posted by at

1 comment:

Mitesh V. Mehta said...

The ASP.NET Team have confirmed that all versions of ASP.NET on all operating systems may be susceptible to this potential exploit. They strongly recommend you do one of the two available fixes:

1. Apply the code below to the global.asax for each of your applications.
OR
2. Install the special HTTP handler.

Option One - Add code to global.asax.

To use this option, add one of the following code samples to global.asax:
Global.asax code sample (Visual Basic .NET)
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) Then
Throw New HttpException(404, "Not Found")
End If
End Sub

Global.asax code sample (C#)
void Application_BeginRequest(object source, EventArgs e)
{
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath)
{
throw new HttpException(404, "not found");
}
}

Option Two - Install the HTTP Handler

Microsoft has released an HTTP module that Web site administrators can apply to their Web server that will protect all ASP.NET applications on the server against URL canonicalization problems known to Microsoft as of the publication date. This module, as well as detailed guidance and deployment information, is available from the Microsoft Download Center.
http://www.microsoft.com/downloads/details.aspx?familyid=DA77B852-DFA0-4631-AAF9-8BCC6C743026&displaylang=en

The ASP.NET team is continuing to work on this problem and will post more information once it becomes available to http://www.microsoft.com/security/incident/aspnet.mspx.


Regards,

March 16, 2005 at 2:27 AM

Post a Comment

Subscribe to: Post Comments (Atom)