Kirk Evans Blog

.NET From a Markup Perspective

What You Should Know About a Reported Vulnerability in Microsoft ASP.NET

What You Should Know About a Reported Vulnerability in Microsoft ASP.NET

  • Comments 5

Go to this page to find out more. 

  • Thanks for pointing this out Kirk. Does anyone know if this means web.config can be compromised?

    I've lost count of people who tell me it is OK to keep plain-text connection strings in web.config because it protected by the webserver! This is like playing Russian Roulette with a gun you are ‘pretty sure’ has no bullets in.

    Writing Secure Code gives a good explanation of canonicalization for those who are interested. Like many vulnerabilities, it looks pretty harmless until you see it in action. I hope to do a few demos of vulnerabilities at Jim's VB.Net group sometime soon. Halloween would be a good time – it will be scarier than Freddie Kruger on a bad hair day.
  • Kirk releases comments with a delay, so I only recently read the Scoble comment.

    Can anyone reproduce this? Over lunch I tried almost exactly what Robert linked to, and still get booted to the Login page. If anyone tests it, don't forget ASP.Net only performs security checks on the file it knows about. i.e. don't try to test the exploit with text files etc. FYI: If you need to secure other extensions (.gif, .jpg etc) then add the HttpHandlers in machine.config (I think, it is well over a year since I did real web work).

    A way to mitigate? (for peer review): If you use Master Pages (don't we all) then double check the user is authenticated in Page_Init (or similar) before loading the user controls.
  • Sorry for the delays, I keep all comments as moderated, I (as most others do) had a lot of problems with comment spam.

    You should be able to leverage an HttpModule or Global.asax instead of modifying all pages in Page_Init. If the user is not authenticated, boot them out from there instead of letting it go all the way to your page. The link above to the KB article shows that you can use this same approach to check the canonicalization.

    As for the pages that it only performs security checks on files it knows about, there is a catch-all entry in machine.config.

    add verb="*" path="*" type="System.Web.HttpMethodNotAllowedHandler"

    This assumes that the file extension in question is mapped to ASP.NET in your IIS settings. For instance, .htm and .html are not mapped to ASP.NET in IIS.
  • Application_BeginRequest in Global.asax was an obvious solution, doh! Told you I don't do much web stuff anymore.

    >>As for the pages that it only performs security checks on files it knows about...
    AFAIK IIS has to be configured to send the files to ASP.Net's http handler thingy (getting out of one's depth here). The default operation is that you see images etc without having to be authenticated. We made a http handler/ module (?? it was to long ago!) to prevent news sites etc leeching our public images like camera feeds etc.

    If anyone does replicate the issue please mail me.
  • The post that indicated it was by Robert Scoble was not actually by him. It has been removed.
Page 1 of 1 (5 items)
Leave a Comment
  • Please add 5 and 7 and type the answer here:
  • Post
Translate This Page