Monday, September 20, 2010

Important ASP.NET Security Vulnerability for ALL versions. and all app like sharepoint, dnn, reporting service. all aspx pages

MSFT just released one one Microsoft Security Advisory about a security vulnerability in ASP.NET.  This vulnerability exists in all versions of ASP.NET.

what’s can be used by attacker.

  • request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).
  • even you DLL assembly in Bin directory. ( then they can use .net reflector to see all the source code. )

How to fix it.

  • When error happened ( Exception get thrown 500 or File not exists, status 404 ), DO not return Dedicated Error code. (like 404 or 500, )
    • FOR web.config, enable customers, mode to on or remoteonly. Remove the sub-error code mapping
      • <system.web>
           <customErrors defaultRedirect="GenericError.htm"
                         mode="RemoteOnly">
             <error statusCode="404"
                     redirect="404.htm"/>
              <error statusCode="403"
                     redirect="403.htm"/>

           </customErrors>
        </system.web>

      FOR Customized Handler or Http Module, Make sure status code is always 200 even there are some exception happened
        if(userNoAccess==true)
        {
        response.StatusCode = 403;
        }
         
        try
        {
        }
        catch(Exception ex)
        {
        Log.logError(ex);
        response.StatusCode = 500;
        }

        Change it to
        if(userNoAccess==true)
        {
        response.StatusCode = 200;
        }
         
        try
        {
        }
        catch(Exception ex)
        {
        Log.logError(ex);
        response.StatusCode = 200;
        }

When will MSFT release the patch.
  

  • it looks like the team is still on the investigation phase to get more details, I don't think it will take a long time.

No comments:

 
Locations of visitors to this page