<< Ch-ch-ch-ch-changes | Update: ASP.Net authentication vulnerability (not just FormsAuth anymore) >>

Bad thing: ASP.NET Forms Authentication not so secure after all

Author: ghurlman@squaretwo.net (Greg Hurlman) Filed under:

30 Sep 2004

[Update: ~~Seems to be fixed in 1.1 SP1 - so get those machines patched - but we need a hotfix for 1.0 folks as well~~. nevermind.]

So, yikes (via LeastPriviledge.com):

We believe we have discovered a serious flaw in .NET forms authentication
when used to secure sub folders. ...

1. Using Mozilla not IE, you make a request to
http://localhost/secure\somefile.aspx The use of a backslash rather than a
forward slash appears to bypass the expected authentication model invoked in
.NET forms authentication

2. Using IE, you make a request to http://localhost/secure\somefile.aspx -
IE automatically replaces the backslash "\" with a forward slash "http://www.hurlman.com/blog/file.axd?file=" and
everything appears fine. However, replace the backslash "\" with %5C (%5C
being hex value for \) and all is not so fine:

http://localhost/secure%5Csomefile.aspx

If you haven't already, go back and read the full message I linked to at the top of the post. GO!

OK, this is the worst thing I've ever heard of (from same post):

Interestingly (and I guess now somewhat amusingly) Microsoft point out in
the article "Design Guidelines for Secure Web Applications"
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h tml/THCMCh04.asp>):

"Be Careful with Canonicalization Issues:

Data in canonical form is in its most standard or simplest form.
Canonicalization is the process of converting data to its canonical form.
File paths and URLs are particularly prone to canonicalization issues and
many well-known exploits are a direct result of canonicalization bugs. For
example, consider the following string that contains a file and path in its
canonical form."

And then goes on to define the exploit ;-)

How on earth did *that* manage to happen? How did whoever was testing this not pick up on the fact that they should maybe test the exact thing that their whitepaper was warning developers about?

Further, where on earth is anyone from Microsoft on this? I've heard not a peep in a single RSS feed, and I'm subscribed to well over 300 MS blogs, along with the Security Bulletin feed.

Honestly - it's things like this that makes me glad that I don't support IIS anymore (and by association, ASP/ASP.Net), and even more glad that I sold off all my MS stock when I left.

- G

This work is licensed under a Creative Commons License.

Tags:

Update: ASP.Net authentication vulnerability (not just FormsAuth anymore) From leastpriviledge.com: After some experimenting - i could also reproduce the same...jQuery, simpleModal, and ASP.Net postbacks do not play well togetherI've had a recent need to use jQuery for the first time, and at first blush, it's really a rather we...iTunes - not actually the Second ComingSo I downloaded iTunes today, because it is probably where things are headed, and I wanted to take a...

Comments