Tech Off Thread

9 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Massive ASP.Net Forms Authentication vulnerability

Back to Forum: Tech Off
  • User profile image
    GregHurlman

    http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754

    This is, IMNSHO, the worst thing I've ever heard of.

    Spread the word, test your sites, and send angry emails to Microsoft.

  • User profile image
    Rossj


     OUCH.

  • User profile image
    Vader1975

    I tried this on my personal site (which uses forms authentication for an "admin" area) in IE and Mozilla 1.0 PR and both worked as expected (re-routing to the authentication page). Has anyone else tested this?

  • User profile image
    Manip2

    I have didn't work as they suggest...^shrug^

  • User profile image
    gabe19

    I can't reproduce either, but that is consistent with the original article which points out that 1.1sp1 is no longer vulnerable.

    1.1 sp1 is being pushed out via windows update.

    As usual, its a patching issue.

  • User profile image
    cathal

    I believe that the Urlscan filter protects against this type of attack. If you don't have it installed yet, i highly recommend it. It can be downloaded from
    http://www.microsoft.com/technet/security/tools/urlscan.mspx , and theres a guide to it @http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HT_URLScan.asp


    Cathal

  • User profile image
    IanG

    First of all, this has nothing to do with Forms Authentication.  It's actually a bug in the URL Authorization module.  On systems that are subject to this bug (not all are), the same problems will be present if you are using, say, integrated Windows Authentication instead.

    Furthermore, if you're running Windows Server 2003, this doesn't affect you. It automatically does preprocessing of the URL before it gets as far as ASP.NET, converting backslashes to forward slashes.  (And as someone already pointed out, installing URLSCAN on older versions of IIS also fixes the problem.)

  • User profile image
    ScanIAm

    IanG wrote:
    First of all, this has nothing to do with Forms Authentication.  It's actually a bug in the URL Authorization module.  On systems that are subject to this bug (not all are), the same problems will be present if you are using, say, integrated Windows Authentication instead.

    Furthermore, if you're running Windows Server 2003, this doesn't affect you. It automatically does preprocessing of the URL before it gets as far as ASP.NET, converting backslashes to forward slashes.  (And as someone already pointed out, installing URLSCAN on older versions of IIS also fixes the problem.)



    But don't forget to 'send angry emails' to Microsoft about it.  That will surely help get the issue resolved for everyone...

  • User profile image
    jonathanh

    There's an incident page about this vulnerability at http://www.microsoft.com/security/incident/aspnet.mspx. That's your best source of all information about it.

    There's also a knowledgebase article (http://support.microsoft.com/?kbid=887459) explaining how to secure your ASP.NET apps.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.