Important: ASP.NET Vulnerability
I think this is important for everyone to read.
An ASP.NET vulnerability was unveiled recently. Please read the following message from Microsoft Security Response Center for information on the vulnerability and how to fix it.
http://blogs.technet.com/b/msrc/arch...-released.aspx
Re: Important: ASP.NET Vulnerability
That's a dangerious threat. Thanks for the heads up. :)
Re: Important: ASP.NET Vulnerability
Re: Important: ASP.NET Vulnerability
Hello Athehist,
Thanks for the heads up, I was note aware of this.
Gary
Re: Important: ASP.NET Vulnerability
Hello everyone,
I am just reading more information about this vulnerability here:
http://weblogs.asp.net/scottgu/archi...erability.aspx
Gary
Re: Important: ASP.NET Vulnerability
Simple enough fix.
Other thing I do, which was kind of an "oh duh" moment for me, was I put this in a long time ago. I used to have a "you don't have permission to access this page" type page, and a generic "oops something happened" type page.
The issue was, finding the "you don't have permission to access this page" means "Hey, you ALMOST made it into a protected page, now that you know the URL start going to town with every technique/script you have!"
So the generic Error page isn't all that bad of an option anyway. Unique error information should be logged into your web error log anyway.
Re: Important: ASP.NET Vulnerability
Some more information has been posted about this by Scott Gu, you can find it here:
http://weblogs.asp.net/scottgu/archi...erability.aspx
This exploit affects all ASP.Net Application, including ASP.Net MVC, and SharePoint. You can find information about SharePoint here:
http://blogs.msdn.com/b/sharepoint/a...harepoint.aspx
Gary
Re: Important: ASP.NET Vulnerability
Hey,
Looks like there is a fix for this.
Being released today:
http://weblogs.asp.net/scottgu/archi...sept-28th.aspx
Gary
Re: Important: ASP.NET Vulnerability
A patch is now available for the ASP.Net Vulnerability:
http://weblogs.asp.net/scottgu/archi...available.aspx
Gary
Re: Important: ASP.NET Vulnerability
Re: Important: ASP.NET Vulnerability
Re: Important: ASP.NET Vulnerability
This was also posted to the US-CERT mailing list. If you don't already subscribe, it's a great way to keep track of the latest security announcements/vulnerabilities from Microsoft/Adobe/Oracle/etc.
Re: Important: ASP.NET Vulnerability
Nice link tr333, I didn't know about that one.
Thanks
Gary
Re: Important: ASP.NET Vulnerability
The update is now being pushed out through Windows Update as well:
http://weblogs.asp.net/scottgu/archi...ws-update.aspx
Gary
Re: Important: ASP.NET Vulnerability
Quote:
Originally Posted by
gep13
That's sound good :thumb:
Re: Important: ASP.NET Vulnerability
Yip, hopefully there won't be many installations left in an unpatched state with it being pushed out this way.
Gary