A security meeting a few days ago published an ASP.. Net Security Risks (both in versions 1.0 and 4.0). Hackers can use this risk to obtain the website's web. the Config File (usually stores some sensitive information, such as database connection strings) and obtains the encryption information in viewstate.
Garden has a detailed discussion on this security vulnerability ASP. net's latest security vulnerabilities, the principles of padding Oracle attacks and others. The following uses a tool to demonstrate how padding Oracle Attacks check the settings of the blog Garden:
This indicates that the blog Park has the padding Oracle Attack Vulnerability. Please take actions as soon as possible.
Before Microsoft releases a solution, it can basically follow the temporary solution provided in scottgu's article. I believe Microsoft will have a security patch that can be deployed to solve the problem correctly, restore the website to the previous customerrors settings:
The following is an article from the scottgu blog: Important: ASP. NET security vulnerability.
If you are using ASP. NET 1.0, Asp. NET 1.1, Asp. NET 2.0, Asp. net 3.5, you should follow the steps below to enable <customerrors/> and map all errors to a single error page:
1) edit the root web. config file of your ASP. NET application. If the file does not exist, create one in the root directory of the application.
2) create or modify the configuration section <customerrors/> of Web. config and add the following content:
<customErrors mode="On" defaultRedirect="~/error.html" />
3) add an independent error.html file to the application, which contains any content you choose to like (an appropriate error page ). When an error occurs in a web application, an error is displayed when this file is used.
Note: Set "on" for the above mermerrors, and all error pages will jump to the default error handling page by default. If no error page is set for each status code definition -- this means that all sub-configuration sections of <customerrors/> are deleted. In this way, attackers can avoid using different status codes to determine the processing results on the server and prevent information leakage.
If you are using ASP. NET 3.5 SP1 or ASP. NET 4.0, follow these steps to enable <mermerrors/> and map all errors to a single error page:
1) edit the root web. config file of your ASP. NET application. If the file does not exist, create one in the root directory of the application.
2) create or modify the <customerrors/> section of the web. config file to have the below settings. note the use of redirectmode = "responserewrite". net 3.5 SP1 and. net 4.0: 2) create or modify web. in the config file configuration section <mermerrors/>, add the following content:
<customErrors mode="On" defaultRedirect="~/error.aspx" redirectMode="ResponseRewrite" />
Note: Set redirectmode to responserewrite.
3) You can add an error. aspx to the application, which contains any content you choose to like (an appropriate error page ). When an error occurs in a web application, an error is displayed when this file is used.
1: <%@ Page Language="C#" AutoEventWireup="true" %>
2: <%@ Import Namespace="System.Security.Cryptography" %>
3: <%@ Import Namespace="System.Threading" %>
4:
5: <script runat="server">
6: void Page_Load() {
7: byte[] delay = new byte[1];
8: RandomNumberGenerator prng = new RNGCryptoServiceProvider();
9:
10: prng.GetBytes(delay);
11: Thread.Sleep((int)delay[0]);
12:
13: IDisposable disposable = prng as IDisposable;
14: if (disposable != null) { disposable.Dispose(); }
15: }
16: </script>
17:
18:
19:
20: <title>Error</title>
21:
22: <body>
23: <div>
24: An error occurred while processing your request.
25: </div>
26: </body>
27:
Note: we strongly recommend that you read Microsoft's advisor http://www.microsoft.com/technet/security/advisory/2416728.mspx,
For further details, please read scottgu's blog http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
And the error. ASPX page example in the article.
After modification, remember to restart IIS.
Microsoft released an important security update for ASP. NET to address ASP. Net Security Vulnerability. http://www.cnblogs.com/msdnchina/archive/2010/09/29/1838161.html