I’ve been busy fixing the many applications at University today with this new security threat to ASP.NET applications.
Put simply, its a matter of canonicalization that could allow users to enter password protected areas of your sites by simply altering a URL.
A good how-to guide is available on the Microsoft support site, yet no formal fix has yet been released. You can protect your application however, by dropping 5 lines of code into your global.asax (available on the page)
Also for .NET developers, grab the patch for the GDI+ JPEG buffer overrun bug that has also recently been fixed.
Update: You can now download a patch to update your servers. Thanks to tchansen for the heads up.
Related posts:
- Security Tip: Update Your Flash Player Adobe applications come under more fire with alerts of serious...
- Bad News for Microsoft: Windows, IE Net Usage Dip Lower According to Net Applications, share of web visits for Microsoft...
- Microsoft Security Essentials: a Review Microsoft Security Essentials may be free but is it any...
- Webmail Security Breaches Continue Hackers and criminals are exploiting the accounts of the 30,000...
- Australia’s Net Censorship Sparks Outrage Australia's government is about to launch a mandatory nationwide censoring...
Check out the HTTP Mitigation patch just released by Microsoft. It allows you to patch the entire server instead of modifying each application. They updated the incident page (http://www.microsoft.com/security/incident/aspnet.mspx) as well as posted the .msi for the patch (http://www.microsoft.com/downloads/details.aspx?familyid=DA77B852-DFA0-4631-AAF9-8BCC6C743026&displaylang=en).
October 8th, 2004 at 12:44 am
The formatting on that didn’t come out well. Hopefully an administrator can correct the comment so that it is easier to see where to go…
October 8th, 2004 at 12:46 am
Good heads up! They hadn’t updated the Security bulletin when I posted.
October 8th, 2004 at 6:38 am
Auto Updates should pick it up as well. :).
October 22nd, 2004 at 12:08 am