Blog Post RSS ?

Blogs » .NET » ASP.NET Security Threat
« Towards fully automated marketing
Interface Inspiration From Real World Devices »
 

ASP.NET Security Threat

by miseldine

I’ve been busy fixing the many applications at University today with this new security threat to ASP.NET applications.

Put simply, its a matter of canonicalization that could allow users to enter password protected areas of your sites by simply altering a URL.

A good how-to guide is available on the Microsoft support site, yet no formal fix has yet been released. You can protect your application however, by dropping 5 lines of code into your global.asax (available on the page)

Also for .NET developers, grab the patch for the GDI+ JPEG buffer overrun bug that has also recently been fixed.

Update: You can now download a patch to update your servers. Thanks to tchansen for the heads up.

This entry was posted on Thursday, October 7th, 2004 at 9:30 pm, contains 114 words, and is filed under .NET. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed. The views and opinions in this blog post are those of its author.

This post has 4 responses so far

  1. tchansen Says:
    October 8th, 2004 at 12:44 am

    Check out the HTTP Mitigation patch just released by Microsoft. It allows you to patch the entire server instead of modifying each application. They updated the incident page (http://www.microsoft.com/security/incident/aspnet.mspx) as well as posted the .msi for the patch (http://www.microsoft.com/downloads/details.aspx?familyid=DA77B852-DFA0-4631-AAF9-8BCC6C743026&displaylang=en).

     
  2. tchansen Says:
    October 8th, 2004 at 12:46 am

    The formatting on that didn’t come out well. Hopefully an administrator can correct the comment so that it is easier to see where to go…

     
  3. miseldine Says:
    October 8th, 2004 at 6:38 am

    Good heads up! They hadn’t updated the Security bulletin when I posted.

     
  4. RoskO Says:
    October 22nd, 2004 at 12:08 am

    Auto Updates should pick it up as well. :).

     

Sponsored Links

Leave a response

You are not logged in, log in with your SitePoint Forum username and password.

-OR- Post Anonymously

* Make sure any code samples are escaped (i.e. ‘<b>’ becomes ‘&lt;b&gt;’).

If not logged in, your comments will be placed in a moderation queue. This means your comment may not appear until one of our moderators approves it.

Your Blogmaster is...

miseldine

Subscribe

SitePoint Newsletters

Get all the latest tips by signing up to all of SitePoint’s informative newsletters.

HTML   Plain

SitePoint Blogs

SitePoint Marketplace

Buy, Sell, Trade

Buy and sell Websites, templates, domain names, hosting, graphics and more.

Posting Code Snippets

Feel free to enter code snippets into your comments in the following format.

Marking Up Your Code
<pre>
<code class='html'> 
code snippet 
</code>
</pre>

Be sure to escape any HTML snippets (i.e. '<' becomes '&lt;' ).

Supported language classes include:

  • XML, HTML, XSLT and any other XML style code
  • CSS
  • C#
  • VB & VB.NET
  • Delphi, Pascal
  • JavaScript
  • PHP
  • Python
  • SQL