UPDATED: Information on reported ASP.NET vulnerability

UPDATED: Information on reported ASP.NET vulnerability

  • Comments 2

Recently, Microsoft received information about a vulnerability in ASP.NET. The ASP.NET team has been working hard to confirm and identify the scope of this vulnerability, and Microsoft has posted the following page containing information about the vulnerability:

http://www.microsoft.com/security/incident/aspnet.mspx

In addition, the following KB article describes steps you can take to provide additional protection for your applications against canonicalization issues such as the type involved in the vulnerability:

http://support.microsoft.com/?kbid=887459

If you are running ASP.NET applications, you should take the time to read over this information, and take necessary steps to protect your applications, in particular the global.asax code described in the KB article. Note also that while it does not completely address this particular vulnerability, tools such as URLScan can provide some protection against certain types of canonicalization issues, and provide an additional layer of protection against malformed URLs. 

UPDATE:
The advice at http://www.microsoft.com/security/incident/aspnet.mspx has been updated with a new fix for this vulnerability. The new fix, which can be installed using a simple MSI installer, adds an HttpModule at the server level that addresses the vulnerability across all ASP.NET applications on a given machine. If you're running ASP.NET, or any application that uses ASP.NET, you should install this fix.

UPDATE II:
There's a new KB article at http://support.microsoft.com/?kbid=887787 that describes a potential issue you may encounter after you install the HttpModule fix described above, as well as solutions to the issue.

  • The hills are alive with the sound of music KB links echoed through blogosphere. As reported here here here here here here here here here here (and too many other places to mention), MS has released a bulletin regarding this vulnerability. If you want to correct the problem, you should add the code from KB article 887459 to your Global.asax (or Global.asax.cs or Global.asax.vb, as the case may be). I still recommend using more fine-grained security checks on each page like I mentioned earlier and that you run URLScan and IISLockdown (if you can). Or upgrade to IIS 6. Better yet, do all of the above.
Page 1 of 1 (2 items)