posted on Wednesday, October 06, 2004 12:53 PM
by
DougSeven
MUST READ: What You Should Know About a Reported Vulnerability in Microsoft ASP.NET
For those of you working with ASP.NET, please be aware of the following reported security vulnerability in ASP.NET.
From Microsoft's Web site:
Microsoft is currently investigating a reported vulnerability in Microsoft ASP.NET. An attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This reported vulnerability exists in ASP.NET and does not affect ASP.
This issue affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003.
The underlying issue is that ASP.NET is failing to perform proper canonicalization of some URLs. Microsoft Knowledge Base (KB) article 887459, "Programmatically Checking for Canonicalization Issues with ASP.NET," describes how to add additional safeguards to an ASP.NET application to help protect against common canonicalization issues, such as those related to this reported vulnerability.
Resources
http://www.microsoft.com/security/incident/aspnet.mspx
http://support.microsoft.com/?kbid=887459
Both DotNetJunkies and SqlJunkies have been patched.