Saturday, September 18, 2010

ASP.NET Security Vulnerability And A Work-around

Microsoft issued a security Advisory about a vulnerability in ASP.NET :

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.  

-- Microsoft Security Advisory (2416728)

While the issue is still being investigated, Scott Gu offers a workaround that could help prevent hackers succeed in using the loophole. The work around is to hide specific/detailed error code information to the user and instead display a generic error page.

The blog post also offers a script that you can run on your web sever to identify all applications that need to be patched.  Take a look and patch your applications ASAP.

No comments:

Post a Comment