This is, IMNSHO, the worst thing I've ever heard of.
Spread the word, test your sites, and send angry emails to Microsoft.
--
Greg Hurlman
ghurlman*AT*squaretwo*DOT*net
http://blogs.squaretwo.netA couple of key points here:
"Confirm a user is who they should be, use the roles system in ASP.NET on
EVERY page that should be secured."
...
"Do not just rely on the Web.Config settings"
Since I wrote my first forms authentication site, I always ensured on every
page requiring authorization that the user's role allowed him access to the
page using the roles system and a few other custom methods. It's just a
habit carried over from classic asp. Stephen Fraser has several good
examples of how to avoid this particular exploit in his CMS.NET product
(http://www.gotdotnet.com/workspaces...orkspaceName&Di
rection=ASC&ST=cms.net) although he never mentions the vulnerability per se.
Having said that, these MS "silly" vulnerabilites have become quite
tiresome. I really don't like having to constantly convince my bosses not
to scrap ms development products altogether in favor of linux based tools.
My 2
Craig
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:3870010F-E882-420E-A6C3-F91BF71A25D3@.microsoft.com...
http://sourceforge.net/mailarchive/...&forum_id=24754
> This is, IMNSHO, the worst thing I've ever heard of.
> Spread the word, test your sites, and send angry emails to Microsoft.
> --
> Greg Hurlman
> ghurlman*AT*squaretwo*DOT*net
> http://blogs.squaretwo.net
I just tried this (the \) in FireFox preview release 1 and couldn't
duplicate.
I also tried it (the %5C) in IE 5.5 and IE 6 without success.
Is this for real?
Greg
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:3870010F-E882-420E-A6C3-F91BF71A25D3@.microsoft.com...
> http://sourceforge.net/mailarchive/...&forum_id=24754
> This is, IMNSHO, the worst thing I've ever heard of.
> Spread the word, test your sites, and send angry emails to Microsoft.
> --
> Greg Hurlman
> ghurlman*AT*squaretwo*DOT*net
> http://blogs.squaretwo.net
I've been able to repro it, and then not able to after applying framework 1.1
SP1 - don't know about 1.0 installations.
"Greg Burns" wrote:
> I just tried this (the \) in FireFox preview release 1 and couldn't
> duplicate.
> I also tried it (the %5C) in IE 5.5 and IE 6 without success.
> Is this for real?
> Greg
> "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
> news:3870010F-E882-420E-A6C3-F91BF71A25D3@.microsoft.com...
> > http://sourceforge.net/mailarchive/...&forum_id=24754
> > This is, IMNSHO, the worst thing I've ever heard of.
> > Spread the word, test your sites, and send angry emails to Microsoft.
> > --
> > Greg Hurlman
> > ghurlman*AT*squaretwo*DOT*net
> > http://blogs.squaretwo.net
>
I assume you mean SP1 installed on the server hosting the ASP.NET site? My
server is still Framework 1.1 no SP applied...
(My test of IE 5.5 was done through a Citrix terminal session with no
framework on the client at all)
Greg
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:8F89E74F-013C-47D0-A1E7-38B59C4830F5@.microsoft.com...
> I've been able to repro it, and then not able to after applying framework
> 1.1
> SP1 - don't know about 1.0 installations.
> "Greg Burns" wrote:
>> I just tried this (the \) in FireFox preview release 1 and couldn't
>> duplicate.
>>
>> I also tried it (the %5C) in IE 5.5 and IE 6 without success.
>>
>> Is this for real?
>>
>> Greg
>>
>> "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
>> news:3870010F-E882-420E-A6C3-F91BF71A25D3@.microsoft.com...
>> > http://sourceforge.net/mailarchive/...&forum_id=24754
>>> > This is, IMNSHO, the worst thing I've ever heard of.
>>> > Spread the word, test your sites, and send angry emails to Microsoft.
>> > --
>> > Greg Hurlman
>> > ghurlman*AT*squaretwo*DOT*net
>> > http://blogs.squaretwo.net
>>
>>
>
Just my two cents.
I have been able to replicate this bug using Firefox, IE on a Windows XP SP1
system, with .NET 1.1.4322.573 and .NET SP1 running IIS 5.0.
I have not been able to replicate this on Windows 2003 Server, with .NET
1.1.4322.573 and .NET SP1 running IIS 6.0.
Ryan Taylor
Yes, apparently the URL normalization that IIS 6.0 manages is mitigating this
particular issue.
What's worse is that now it appears to affect Windows authentication as well
as forms auth; see
http://blogs.squaretwo.net/PermaLin...6e-f2576fa2b0f1 for details.
Is there any hope of Microsoft or even an MVP giving us any word on this, or
are they just hoping it'll go away?
--
Greg Hurlman
ghurlman*AT*squaretwo*DOT*net
http://blogs.squaretwo.net
"Ryan Taylor" wrote:
> Just my two cents.
> I have been able to replicate this bug using Firefox, IE on a Windows XP SP1
> system, with .NET 1.1.4322.573 and .NET SP1 running IIS 5.0.
> I have not been able to replicate this on Windows 2003 Server, with .NET
> 1.1.4322.573 and .NET SP1 running IIS 6.0.
> Ryan Taylor
>
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:7E2C8F9E-931E-49D9-9AC7-505FB58A3FC1@.microsoft.com...
> Yes, apparently the URL normalization that IIS 6.0 manages is mitigating
> this
> particular issue.
> What's worse is that now it appears to affect Windows authentication as
> well
> as forms auth; see
> http://blogs.squaretwo.net/PermaLin...6e-f2576fa2b0f1
> for details.
> Is there any hope of Microsoft or even an MVP giving us any word on this,
> or
> are they just hoping it'll go away?
I doubt that they'll speak before they have something to say. I'd assume
they've seen these posts, though if we knew that an MVP had seen these
posts, it would make me feel better.
--
John Saunders
Agreed; I realized today that MS probably has an edict from on high that they
can't say anything until a patch is released for this. I don't know if such
a thing would extend to MVPs, but a simple "yep, on it" would be good enough
for now if that's all we can get.
--
Greg Hurlman
ghurlman*AT*squaretwo*DOT*net
http://blogs.squaretwo.net
"John Saunders" wrote:
> "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
> news:7E2C8F9E-931E-49D9-9AC7-505FB58A3FC1@.microsoft.com...
> > Yes, apparently the URL normalization that IIS 6.0 manages is mitigating
> > this
> > particular issue.
> > What's worse is that now it appears to affect Windows authentication as
> > well
> > as forms auth; see
> > http://blogs.squaretwo.net/PermaLin...6e-f2576fa2b0f1
> > for details.
> > Is there any hope of Microsoft or even an MVP giving us any word on this,
> > or
> > are they just hoping it'll go away?
> I doubt that they'll speak before they have something to say. I'd assume
> they've seen these posts, though if we knew that an MVP had seen these
> posts, it would make me feel better.
> --
> John Saunders
>
Hi,
I posted this code in another thread. It goes in the Global.aspx.vb file.
My systems are already patched so I can't test it, but for those out there
who aren't allowed to patch their systems or whose hosts haven't patched
their systems give it a spin and let me know if it works. Ken.
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim rPath As String = Request.RawUrl
rPath = rPath.Replace("\", "/")
Context.RewritePath(rPath)
End Sub
--
Ken Dopierala Jr.
For great ASP.Net web hosting try:
http://www.webhost4life.com/default.asp?refid=Spinlight
If you sign up under me and need help, email me.
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:908B02E5-8186-426A-8AB7-79C147F115EA@.microsoft.com...
> Agreed; I realized today that MS probably has an edict from on high that
they
> can't say anything until a patch is released for this. I don't know if
such
> a thing would extend to MVPs, but a simple "yep, on it" would be good
enough
> for now if that's all we can get.
> --
> Greg Hurlman
> ghurlman*AT*squaretwo*DOT*net
> http://blogs.squaretwo.net
> "John Saunders" wrote:
> > "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
> > news:7E2C8F9E-931E-49D9-9AC7-505FB58A3FC1@.microsoft.com...
> > > Yes, apparently the URL normalization that IIS 6.0 manages is
mitigating
> > > this
> > > particular issue.
> > > > What's worse is that now it appears to affect Windows authentication
as
> > > well
> > > as forms auth; see
> http://blogs.squaretwo.net/PermaLin...6e-f2576fa2b0f1
> > > for details.
> > > > Is there any hope of Microsoft or even an MVP giving us any word on
this,
> > > or
> > > are they just hoping it'll go away?
> > I doubt that they'll speak before they have something to say. I'd assume
> > they've seen these posts, though if we knew that an MVP had seen these
> > posts, it would make me feel better.
> > --
> > John Saunders
Hi,
I shouldn't of said patched. I meant I have all the latest service packs.
The exploit doesn't work on Windows 2003 Server, ASP.Net 1.0. And it
doesn't work on Windows 2000 Pro, ASP.Net 1.0. Someone in this thread said
it doesn't work on Windows 2003 Server, ASP.Net 1.1. Can anyone try Windows
2000 Server, 1.0 and 1.1? If those aren't vulnerable then this isn't a big
deal for most people. There can't be too many companies running their
production website with XP Pro. At least I hope there isn't. Ken.
"Ken Dopierala Jr." <kdopierala2@.wi.rr.com> wrote in message
news:eQuT3YCqEHA.2456@.TK2MSFTNGP10.phx.gbl...
> Hi,
> I posted this code in another thread. It goes in the Global.aspx.vb file.
> My systems are already patched so I can't test it, but for those out there
> who aren't allowed to patch their systems or whose hosts haven't patched
> their systems give it a spin and let me know if it works. Ken.
> Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
> Dim rPath As String = Request.RawUrl
> rPath = rPath.Replace("\", "/")
> Context.RewritePath(rPath)
> End Sub
> --
> Ken Dopierala Jr.
> For great ASP.Net web hosting try:
> http://www.webhost4life.com/default.asp?refid=Spinlight
> If you sign up under me and need help, email me.
> "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
> news:908B02E5-8186-426A-8AB7-79C147F115EA@.microsoft.com...
> > Agreed; I realized today that MS probably has an edict from on high that
> they
> > can't say anything until a patch is released for this. I don't know if
> such
> > a thing would extend to MVPs, but a simple "yep, on it" would be good
> enough
> > for now if that's all we can get.
> > --
> > Greg Hurlman
> > ghurlman*AT*squaretwo*DOT*net
> > http://blogs.squaretwo.net
> > "John Saunders" wrote:
> > > "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
> > > news:7E2C8F9E-931E-49D9-9AC7-505FB58A3FC1@.microsoft.com...
> > > > Yes, apparently the URL normalization that IIS 6.0 manages is
> mitigating
> > > > this
> > > > particular issue.
> > > > > > What's worse is that now it appears to affect Windows authentication
> as
> > > > well
> > > > as forms auth; see
> > http://blogs.squaretwo.net/PermaLin...6e-f2576fa2b0f1
> > > > for details.
> > > > > > Is there any hope of Microsoft or even an MVP giving us any word on
> this,
> > > > or
> > > > are they just hoping it'll go away?
> > > > I doubt that they'll speak before they have something to say. I'd
assume
> > > they've seen these posts, though if we knew that an MVP had seen these
> > > posts, it would make me feel better.
> > > --
> > > John Saunders
> > >
We are running Windows 2000 Server SP4 ASP.Net 1.1 (w/o SP1) and I was not
able to duplicate...
I am not sure if we had URL Scan installed. I will need to check.
Greg
"Ken Dopierala Jr." <kdopierala2@.wi.rr.com> wrote in message
news:OKmcEkCqEHA.3920@.TK2MSFTNGP14.phx.gbl...
> Hi,
> I shouldn't of said patched. I meant I have all the latest service packs.
> The exploit doesn't work on Windows 2003 Server, ASP.Net 1.0. And it
> doesn't work on Windows 2000 Pro, ASP.Net 1.0. Someone in this thread
> said
> it doesn't work on Windows 2003 Server, ASP.Net 1.1. Can anyone try
> Windows
> 2000 Server, 1.0 and 1.1? If those aren't vulnerable then this isn't a
> big
> deal for most people. There can't be too many companies running their
> production website with XP Pro. At least I hope there isn't. Ken.
> "Ken Dopierala Jr." <kdopierala2@.wi.rr.com> wrote in message
> news:eQuT3YCqEHA.2456@.TK2MSFTNGP10.phx.gbl...
>> Hi,
>>
>> I posted this code in another thread. It goes in the Global.aspx.vb
>> file.
>> My systems are already patched so I can't test it, but for those out
>> there
>> who aren't allowed to patch their systems or whose hosts haven't patched
>> their systems give it a spin and let me know if it works. Ken.
>>
>> Sub Application_BeginRequest(ByVal sender As Object, ByVal e As
>> EventArgs)
>> Dim rPath As String = Request.RawUrl
>> rPath = rPath.Replace("\", "/")
>> Context.RewritePath(rPath)
>> End Sub
>>
>> --
>> Ken Dopierala Jr.
>> For great ASP.Net web hosting try:
>> http://www.webhost4life.com/default.asp?refid=Spinlight
>>
>> If you sign up under me and need help, email me.
>> "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
>> news:908B02E5-8186-426A-8AB7-79C147F115EA@.microsoft.com...
>> > Agreed; I realized today that MS probably has an edict from on high
>> > that
>> they
>> > can't say anything until a patch is released for this. I don't know if
>> such
>> > a thing would extend to MVPs, but a simple "yep, on it" would be good
>> enough
>> > for now if that's all we can get.
>>> > --
>> > Greg Hurlman
>> > ghurlman*AT*squaretwo*DOT*net
>> > http://blogs.squaretwo.net
>>> > "John Saunders" wrote:
>>> > > "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
>> > > news:7E2C8F9E-931E-49D9-9AC7-505FB58A3FC1@.microsoft.com...
>> > > > Yes, apparently the URL normalization that IIS 6.0 manages is
>> mitigating
>> > > > this
>> > > > particular issue.
>> > >> > > > What's worse is that now it appears to affect Windows
>> > > > authentication
>> as
>> > > > well
>> > > > as forms auth; see
>> > >>
> http://blogs.squaretwo.net/PermaLin...6e-f2576fa2b0f1
>> > > > for details.
>> > >> > > > Is there any hope of Microsoft or even an MVP giving us any word on
>> this,
>> > > > or
>> > > > are they just hoping it'll go away?
>> >> > > I doubt that they'll speak before they have something to say. I'd
> assume
>> > > they've seen these posts, though if we knew that an MVP had seen
>> > > these
>> > > posts, it would make me feel better.
>> > > --
>> > > John Saunders
>> >> >> >>
>>
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:7E2C8F9E-931E-49D9-9AC7-505FB58A3FC1@.microsoft.com...
> Is there any hope of Microsoft or even an MVP giving us any word on this,
> or
> are they just hoping it'll go away?
This *is not* my area of expertise, but since no one has responded yet in
this thread, I'll point these out:
http://www.microsoft.com/security/incident/aspnet.mspx
http://support.microsoft.com/?kbid=887459
--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsser...ty/centers/iis/
http://mvp.support.microsoft.com/
http://www.iisfaq.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://www.tryiis.com
0 comments:
Post a Comment