ASP.NET Vulnerability

As you guys might hear about ASP.NET Vulnerability previously, you might wonder how to workaround it. In the meantime while waiting for the patch, Microsoft recommended a strategy to workaround ASP.NET Vulnerability in its authentication system by adding the following code:

<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
    if (Request.Path.IndexOf('\\') >= 0 ||
        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
        throw new HttpException(404, "not found");
    }
}
</script>

as appeared in KB887459

posted on Wednesday, October 06, 2004 7:53 AM

Feedback

# MS KB 887459 : Work Around for the IIS5/ASP.NET Authentication Vulnerability 10/6/2004 12:35 PM Sirsha Development Resources Blo

The hills are alive with the sound of music KB links echoed through blogosphere. As reported here here here here here here here here here here (and too many other places to mention), MS has released a bulletin regarding this vulnerability. If you want to correct the problem, you should add the code from KB article 887459 to your Global.asax (or Global.asax.cs or Global.asax.vb, as the case may be). I still recommend using more fine-grained security checks on each page like I mentioned earlier and that you run URLScan and IISLockdown (if you can). Or upgrade to IIS 6. Better yet, do all of the above.

# MS KB 887459 : Work Around for the IIS5/ASP.NET Authentication Vulnerability 3/12/2005 5:40 PM Sirsha Development Resources Blo

Post Feedback

Title:
Name:
Email: (never displayed)
Url:
Comments:
Remember Me?

Nat Luengnaruemitchai

News

Archives

Post Categories

Blogroll

Feedback

Post Feedback