ASP. NET security vulnerabilities and Countermeasures

First, the security bug in. net Forms authentication applies to ASP. NET 1.0 (RTM, SP1, SP2, SP3) and ASP. NET 1.1 (RTM, SP1 ).

When form authentication is used, anonymous users attempt to access protected pages, such as http: // localhost/webapplication2/secret. aspx will be redirect to the logon webpage, such as http: // localhost/webapplication2/login. aspx? Returnurl = % 2fwebapplication2% 2fsecret. aspx.

However, if Mozilla is used, anonymous users can access the protected page without authentication: http: // localhost/webapplication2 \ secret. aspx; for IE, you can use % 5c to achieve similar results: http: // localhost/webapplication2 % 5csecret. aspx

In October 5, Microsoft released the "What You shoshould know about a reported vulnerability in Microsoft ASP. NET" webpage to provide countermeasures against this security vulnerability. The current countermeasure is to add a check in application_beginrequest in global. asax or its code-behind as described in kb887459.

If (request. Path. indexof ('\')> = 0 | system. Io. Path. getfullpath (request. physicalpath )! = Request. physicalpath) {Throw new httpexception (404, "not found ");}
Obviously, each application needs such a check to cope with this security vulnerability. Microsoft will also provide other countermeasures. Please pay attention to what you shoshould know about a reported vulnerability in Microsoft ASP. NET webpage updates.

For ASP. NET 2.0 beta1, the Error 404 is returned instead of the vulnerability.

The post is provided as "status quo" without any guarantee and has not been granted any rights

Published on Thursday, October 07,200 4 AM

Comment
# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 am tommywoo
Http: // localhost/webapplication2 % 5csecret. aspx

I tried it. No. IE version problems?

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 am r2
Ah, terrible! Fortunately, I used beta1

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 am r2
Is form authentication such as Microsoft so fragile ??

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 am wonge
This error does not occur in Windows 2003: http: // localhost/webapplication2 % 5csecret. aspx?

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 AM sun zhanbo
I used XP SP2 OS and Its IE6 verification.
Windows 2003 Server also has this problem from what you shoshould know about a reported vulnerability in Microsoft ASP. NET webpage. This is an ASP. NET bug, not an OS bug.

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 am lostinet
Terrible Vulnerabilities ~~~
The solution is to create a simple ihttpmodule and register it in GAC and machine. config.

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 PM flashtoy
I tried it by method. Why didn't I have this problem.
Scared me!
Http://www.creva.org.cn/creva/orgshow.aspx

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 PM tommywoo
Friends upstairs, I thought of it ..

Because we use IE and IE to use this vulnerability, we must use % 5c instead of the \ symbol...

Both of us are verified in the first level subdirectory of the root directory, for example, you have to use http://www.creva.org.cn % 5 ccreva/orgshow. aspx

Obviously there is a problem here: what is the domain name? The domain name is represented as "www.creva.org.cn % 5ccreva" instead of "www.creva.org.cn ".

I think the problem is that Zhan Bo uses sub-directories under the virtual directory, so this vulnerability occurs.

You can try it with the Mozilla \ symbol.

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 PM blue space
There is indeed a problem. Please fix it as soon as possible.

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 PM libber
Why can't I test it? . NET Framework 1.1 SP1

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 PM kwklover
I tested it too. No problem.
You can test this website.

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/7/2004 PM erictang2003
I didn't test it either. I didn't try IE6 or firefox1.0.
But it is changed.CodeJust in case

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/8/2004 am xiaoheng
Tested. No problem found !!!!

# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/8/2004 am Gigabyte
You can add such a solution in global. asax:

Void application_beginrequest (Object source, eventargs e ){
If (request. Path. indexof ('\')> = 0 |
System. Io. Path. getfullpath (request. physicalpath )! = Request. physicalpath ){
Throw new httpexception (404, "not found ");
}
}

Here is an explanation of MS:
Http://www.kbalertz.com/kb_887459.aspx
# Re: ASP. NET form authentication security vulnerability and Countermeasures 10/8/2004 PM Michael Lee
God! Bad news !!!

This problem can be solved. The previous bug of GDI + is even more incredible.

Address: http://www.ttud.com/info/1465.htm