A security meeting a few days ago published an ASP.. NET Security Risks (both in versions 1.0 and 4.0). Hackers can use this risk to obtain the website's web. the config File (usually stores some sensitive information, such as database connection strings) and obtains the encryption information in ViewState.
Garden has a detailed discussion on this security vulnerability ASP. NET's latest security vulnerabilities, the principles of Padding Oracle attacks and others. The following uses a tool to demonstrate how Padding Oracle Attacks check the settings of the blog Garden:
This indicates that the blog Park has the Padding Oracle Attack Vulnerability. Please take actions as soon as possible.
Before Microsoft releases a solution, it can basically follow the temporary solution provided in scottgu's article. I believe Microsoft will have a security patch that can be deployed to solve the problem correctly, restore the website to the previous customErrors settings:
The following is an article from the Scottgu blog: Important: ASP. NET Security Vulnerability.
If you are using ASP. NET 1.0, ASP. NET 1.1, ASP. NET 2.0, ASP. NET 3.5, you should follow the steps below to enable And map all errors to a single error page:
1) edit the root Web. config file of your ASP. NET application. If the file does not exist, create one in the root directory of the application.
2) create or modify the configuration section of web. config To add the following content:
The following is a code snippet: <CustomErrors mode = "On" defaultRedirect = "~ /Error.html "/> |
3) add an independent error.html file to the application, which contains any content you choose to like (an appropriate error page ). When an error occurs in a Web application, an error is displayed when this file is used.
The following is a code snippet: <% @ Page Language = "C #" AutoEventWireup = "true" %> <% @ Import Namespace = "System. Security. Cryptography" %> <% @ Import Namespace = "System. Threading" %> <Script runat = "server"> Void Page_Load (){ Byte [] delay = new byte [1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider ();
Prng. GetBytes (delay ); Thread. Sleep (int) delay [0]);
IDisposable disposable = prng as IDisposable; If (disposable! = Null) {disposable. Dispose ();} } </Script>
<Html> <Head runat = "server"> <Title> Error </title> </Head> <Body> <Div> An error occurred while processing your request. </Div> </Body> </Html> |
Note: Set "on" for the above mermerrors, and all error pages will jump to the default error handling page by default. Do not set any error pages defined for each status code -- this means All sub-configuration sections. In this way, attackers can avoid using different status codes to determine the processing results on the server and prevent information leakage.
If you are using ASP. NET 3.5 SP1 or ASP. NET 4.0, follow these steps to enable And map all errors to a single error page:
1) edit the root Web. config file of your ASP. NET application. If the file does not exist, create one in the root directory of the application.
2) Create or modify Section of the web. config file to have the below settings. note the use of redirectMode = "ResponseRewrite". NET 3.5 SP1 and. NET 4.0: 2) create or modify web. config file configuration section , Add the following content:
The following is a code snippet: <CustomErrors mode = "On" defaultRedirect = "~ /Error. aspx "redirectMode =" ResponseRewrite "/> |
Note that you should set redirectMode to ResponseRewrite.3) add an Error. aspx to the application, which contains any content you choose to like (the appropriate Error page ). When an error occurs in a Web application, an error is displayed when this file is used.
Note: we strongly recommend that you read Microsoft's advisor http://www.microsoft.com/technet/security/advisory/2416728.mspx. For further details, please read Scottgu's blog article. After modification, remember to restart IIS