http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754
This is, IMNSHO, the worst thing I've ever heard of.
Spread the word, test your sites, and send angry emails to Microsoft.
-
GregHurlman
By any means necessary.
-
OUCH. -
Vader1975
Dark Lord of the Sith
I tried this on my personal site (which uses forms authentication for an "admin" area) in IE and Mozilla 1.0 PR and both worked as expected (re-routing to the authentication page). Has anyone else tested this?
-
I have didn't work as they suggest...^shrug^
-
gabe19
bang bang shoot shoot
I can't reproduce either, but that is consistent with the original article which points out that 1.1sp1 is no longer vulnerable.
1.1 sp1 is being pushed out via windows update.
As usual, its a patching issue. -
cathal
Eric the King
I believe that the Urlscan filter protects against this type of attack. If you don't have it installed yet, i highly recommend it. It can be downloaded from
http://www.microsoft.com/technet/security/tools/urlscan.mspx , and theres a guide to it @http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HT_URLScan.asp
Cathal -
IanG
IanG
First of all, this has nothing to do with Forms Authentication. It's actually a bug in the URL Authorization module. On systems that are subject to this bug (not all are), the same problems will be present if you are using, say, integrated Windows Authentication instead.
Furthermore, if you're running Windows Server 2003, this doesn't affect you. It automatically does preprocessing of the URL before it gets as far as ASP.NET, converting backslashes to forward slashes. (And as someone already pointed out, installing URLSCAN on older versions of IIS also fixes the problem.) -
ScanIAm
Edgar Allen Potato.
IanG wrote:First of all, this has nothing to do with Forms Authentication. It's actually a bug in the URL Authorization module. On systems that are subject to this bug (not all are), the same problems will be present if you are using, say, integrated Windows Authentication instead.
Furthermore, if you're running Windows Server 2003, this doesn't affect you. It automatically does preprocessing of the URL before it gets as far as ASP.NET, converting backslashes to forward slashes. (And as someone already pointed out, installing URLSCAN on older versions of IIS also fixes the problem.)
But don't forget to 'send angry emails' to Microsoft about it. That will surely help get the issue resolved for everyone...
-
jonathanh
My mod color is red
There's an incident page about this vulnerability at http://www.microsoft.com/security/incident/aspnet.mspx. That's your best source of all information about it.
There's also a knowledgebase article (http://support.microsoft.com/?kbid=887459) explaining how to secure your ASP.NET apps.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.