MSFT just released one one Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET.
what’s can be used by attacker.
- request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).
- even you DLL assembly in Bin directory. ( then they can use .net reflector to see all the source code. )
How to fix it.
- When error happened ( Exception get thrown 500 or File not exists, status 404 ), DO not return Dedicated Error code. (like 404 or 500, )
- FOR web.config, enable customers, mode to on or remoteonly. Remove the sub-error code mapping
<system.web> |
if(userNoAccess==true) { response.StatusCode = 403; } try { } catch(Exception ex) { Log.logError(ex); response.StatusCode = 500; } Change it to if(userNoAccess==true) { response.StatusCode = 200; } try { } catch(Exception ex) { Log.logError(ex); response.StatusCode = 200; } |
When will MSFT release the patch.
- it looks like the team is still on the investigation phase to get more details, I don't think it will take a long time.
No comments:
Post a Comment