ASP.NET Security Threat

By | October 7, 2004 | .NET

4
  • Print
  • Print

I’ve been busy fixing the many applications at University today with this new security threat to ASP.NET applications.

Put simply, its a matter of canonicalization that could allow users to enter password protected areas of your sites by simply altering a URL.

A good how-to guide is available on the Microsoft support site, yet no formal fix has yet been released. You can protect your application however, by dropping 5 lines of code into your global.asax (available on the page)

Also for .NET developers, grab the patch for the GDI+ JPEG buffer overrun bug that has also recently been fixed.

Update: You can now download a patch to update your servers. Thanks to tchansen for the heads up.

Written By:

Philip Miseldine

Philip is a Computer Science PhD student at Liverpool John Moores University. He's still not mastered guitar tabs, never finished Mario, and needs a haircut. He discusses life at http://www.miseldine.com/.

Website
>> More Posts By Philip Miseldine

 

{ 4 comments }

RoskO October 22, 2004 at 12:08 am

Auto Updates should pick it up as well. :).

miseldine October 8, 2004 at 6:38 am

Good heads up! They hadn’t updated the Security bulletin when I posted.

tchansen October 8, 2004 at 12:46 am

The formatting on that didn’t come out well. Hopefully an administrator can correct the comment so that it is easier to see where to go…

tchansen October 8, 2004 at 12:44 am

Check out the HTTP Mitigation patch just released by Microsoft. It allows you to patch the entire server instead of modifying each application. They updated the incident page (http://www.microsoft.com/security/incident/aspnet.mspx) as well as posted the .msi for the patch (http://www.microsoft.com/downloads/details.aspx?familyid=DA77B852-DFA0-4631-AAF9-8BCC6C743026&displaylang=en).

Comments on this entry are closed.