<< Bad thing: ASP.NET Forms Authentication not so secure after all | Microsoft speaks out on the ASP.Net Vulnerability >>

Update: ASP.Net authentication vulnerability (not just FormsAuth anymore)

Author: ghurlman@squaretwo.net (Greg Hurlman) Filed under:

1 Oct 2004

From leastpriviledge.com:

After some experimenting - i could also reproduce the same behaviour with Windows Authentication.

So the bug is not in Forms Authentication, it is a canonicalization error in the UrlAuthorization Module of ASP.NET.

The reason why Windows 2003 is not affected is, because of the built-in URL normalization in IIS6 - so the encoded URL never reaches the CLR. You can get the same result on Windows XP and Windows 2000 which are vulnerable (regardless the .NET Service Pack) by installing URLScan (considered best-practice on these platforms anyway). So do it!

I suppose that's why we haven't heard a single peep from Microsoft about this (which is quickly becoming worse than the vulnerability itself I think)... so get yourself URLScan, and get it on your IIS5.0 systems.

Apparently he's been able to repro this vulnerability on .Net 1.1 SP1, so yesterday's update is out the window.

Really, you should just subscribe to leastpriviledge.com's RSS feed. Today.

- G

This work is licensed under a Creative Commons License.

Tags:

Bad thing: ASP.NET Forms Authentication not so secure after all [Update: Seems to be fixed in 1.1 SP1 - so get those machines patched - but we need a hotfi...jQuery, simpleModal, and ASP.Net postbacks do not play well togetherI've had a recent need to use jQuery for the first time, and at first blush, it's really a rather we...Microsoft speaks out on the ASP.Net Vulnerability No time for commentary at the moment, but if you write ASP.Net applications, please head to...

Comments