Microsoft Security Response Center released the latest security warning at noon today to remind the majority of ASP. net users prevent a new security vulnerability. attackers can exploit the vulnerability in ASP. net encryption module's latest vulnerability access to include web. any file including config. this vulnerability exists in ASP. in all released versions of. net, the impact is not negligible. no Patches have been released. developers and maintenance personnel are invited to strengthen defense.
It is reported that the new vulnerabilities in the ASP. NET encryption module allow attackers to decrypt and tamper with arbitrary encrypted data. If ASP. NET applicationProgramASP. NET 3.5 SP1 or later is used. Attackers can use this encryption vulnerability to request any file content in ASP. NET applications. Some stream-spreading attack cases on the network show that attackers can exploit this encryption vulnerability to obtain the content of the Web. config file. In fact, once an attacker obtains the access permission of the Worker Process of the Web application, the attacker can access arbitrary files in the application.
For more information about this vulnerability, visit: http://www.microsoft.com/technet/security/advisory/2416728.mspx
For more information, see http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Vulnerability scan tool download: http://www.asp.net/media/782788/detectcustomerrorsdisabledv30.zip
Vulnerability scan tool usage:
1. decompress the ZIP file and release the detectcustomerrorsdisabled3.vbs file to the hard disk.
2. Run the CMD command prompt tool to go To the folder where detectcustomerrorsdisabled3.vbs is released and run: cscript detectcustomerrorsdisabled3.vbs.
Reference: http://www.senparc.com/News-390.xhtml