I don't usually forward security alerts, but this one is serious
enough that I will make an exception. Basically, if you have any
ASP.NET site, you need to do this fix!
Microsoft is currently investigating a reported vulnerability in
Microsoft ASP.NET. An attacker can send specially crafted requests
to the server and view secured content without providing the proper
credentials. This reported vulnerability exists in ASP.NET and does
not affect ASP.
This issue affects Web content owners who are running any version of
ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP
Professional, and Windows Server 2003.
The underlying issue is that ASP.NET is failing to perform proper
canonicalization of some URLs. Microsoft Knowledge Base (KB) article
887459, "Programmatically Checking for Canonicalization Issues with
ASP.NET," describes how to add additional safeguards to an ASP.NET
application to help protect against common canonicalization issues,
such as those related to this reported vulnerability.
The ASP.NET Team have confirmed that all versions of ASP.NET on all
operating systems may be susceptible to this potential exploit. They
strongly recommend you do one of the two available fixes:
1. Apply the code below to the global.asax for each of your
applications.
OR
2. Install the special HTTP handler.
Option One - Add code to global.asax.
To use this option, add one of the following code samples to
global.asax:
Global.asax code sample (Visual Basic .NET)
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <>
Request.PhysicalPath) Then
Throw New HttpException(404, "Not Found")
End If
End Sub
Global.asax code sample (C#)
void Application_BeginRequest(object source, EventArgs e)
{
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) !=
Request.PhysicalPath)
{
throw new HttpException(404, "not found");
}
}
Option Two - Install the HTTP Handler
Microsoft has released an HTTP module that Web site administrators
can apply to their Web server that will protect all ASP.NET
applications on the server against URL canonicalization problems
known to Microsoft as of the publication date. This module, as well
as detailed guidance and deployment information, is available from
the Microsoft Download Center.
http://www.microsoft.com/downloads/details.aspx?familyid=DA77B852-
DFA0-4631-AAF9-8BCC6C743026&displaylang=en
The ASP.NET team is continuing to work on this problem and will post
more information once it becomes available to
http://www.microsoft.com/security/incident/aspnet.mspx.
------------------------ Yahoo! Groups Sponsor --------------------~-->
$9.95 domain names from Yahoo!. Register anything.
http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/X1EolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/AspNetMetroArea/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
