]
This is, IMNSHO, the worst thing I've ever heard of.
Spread the word, test your sites, and send
emails to Microsoft.--
Greg Hurlman
ghurlman*AT*squaretwo*DOT*net
http://blogs.squaretwo.netA couple of key points here:
"Confirm a user is who they should be, use the roles system in ASP.NET on
EVERY page that should be secured."
...
"Do not just rely on the Web.Config settings"
Since I wrote my first forms authentication site, I always ensured on every
page requiring authorization that the user's role allowed him access to the
page using the roles system and a few other custom methods. It's just a
habit carried over from classic asp. Stephen Fraser has several good
examples of how to avoid this particular exploit in his CMS.NET product
(http://www.gotdotnet.com/workspaces...orkspaceName&Di
rection=ASC&ST=cms.net) although he never mentions the vulnerability per se.
Having said that, these MS "silly" vulnerabilites have become quite
tiresome. I really don't like having to constantly convince my bosses not
to scrap ms development products altogether in favor of linux based tools.
My 2
Craig
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:3870010F-E882-420E-A6C3-F91BF71A25D3@.microsoft.com...
>
http://sourceforge.net/mailarchive/...&forum_id=24754
> This is, IMNSHO, the worst thing I've ever heard of.
> Spread the word, test your sites, and send
emails to Microsoft.> --
> Greg Hurlman
> ghurlman*AT*squaretwo*DOT*net
> http://blogs.squaretwo.net
I just tried this (the \) in FireFox preview release 1 and couldn't
duplicate.
I also tried it (the %5C) in IE 5.5 and IE 6 without success.
Is this for real?
Greg
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:3870010F-E882-420E-A6C3-F91BF71A25D3@.microsoft.com...
> [url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/u
rl]
> This is, IMNSHO, the worst thing I've ever heard of.
> Spread the word, test your sites, and send
emails to Microsoft.> --
> Greg Hurlman
> ghurlman*AT*squaretwo*DOT*net
> http://blogs.squaretwo.net
I've been able to repro it, and then not able to after applying framework 1.
1
SP1 - don't know about 1.0 installations.
"Greg Burns" wrote:
> I just tried this (the \) in FireFox preview release 1 and couldn't
> duplicate.
> I also tried it (the %5C) in IE 5.5 and IE 6 without success.
> Is this for real?
> Greg
> "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
> news:3870010F-E882-420E-A6C3-F91BF71A25D3@.microsoft.com...
>
>
I assume you mean SP1 installed on the server hosting the ASP.NET site? My
server is still Framework 1.1 no SP applied...
(My test of IE 5.5 was done through a Citrix terminal session with no
framework on the client at all)
Greg
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:8F89E74F-013C-47D0-A1E7-38B59C4830F5@.microsoft.com...
> I've been able to repro it, and then not able to after applying framework
> 1.1
> SP1 - don't know about 1.0 installations.
> "Greg Burns" wrote:
>
Just my two cents.
I have been able to replicate this bug using Firefox, IE on a Windows XP SP1
system, with .NET 1.1.4322.573 and .NET SP1 running IIS 5.0.
I have not been able to replicate this on Windows 2003 Server, with .NET
1.1.4322.573 and .NET SP1 running IIS 6.0.
Ryan Taylor
Yes, apparently the URL normalization that IIS 6.0 manages is mitigating thi
s
particular issue.
What's worse is that now it appears to affect Windows authentication as well
as forms auth; see
http://blogs.squaretwo.net/PermaLin...fa2b0f
1 for details.
Is there any hope of Microsoft or even an MVP giving us any word on this, or
are they just hoping it'll go away?
Greg Hurlman
ghurlman*AT*squaretwo*DOT*net
http://blogs.squaretwo.net
"Ryan Taylor" wrote:
> Just my two cents.
> I have been able to replicate this bug using Firefox, IE on a Windows XP S
P1
> system, with .NET 1.1.4322.573 and .NET SP1 running IIS 5.0.
> I have not been able to replicate this on Windows 2003 Server, with .NET
> 1.1.4322.573 and .NET SP1 running IIS 6.0.
> Ryan Taylor
>
>
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:7E2C8F9E-931E-49D9-9AC7-505FB58A3FC1@.microsoft.com...
> Yes, apparently the URL normalization that IIS 6.0 manages is mitigating
> this
> particular issue.
> What's worse is that now it appears to affect Windows authentication as
> well
> as forms auth; see
> http://blogs.squaretwo.net/PermaLin...fa2b
0f1
> for details.
> Is there any hope of Microsoft or even an MVP giving us any word on this,
> or
> are they just hoping it'll go away?
I doubt that they'll speak before they have something to say. I'd assume
they've seen these posts, though if we knew that an MVP had seen these
posts, it would make me feel better.
--
John Saunders
Agreed; I realized today that MS probably has an edict from on high that the
y
can't say anything until a patch is released for this. I don't know if such
a thing would extend to MVPs, but a simple "yep, on it" would be good enough
for now if that's all we can get.
Greg Hurlman
ghurlman*AT*squaretwo*DOT*net
http://blogs.squaretwo.net
"John Saunders" wrote:
> "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
> news:7E2C8F9E-931E-49D9-9AC7-505FB58A3FC1@.microsoft.com...
> I doubt that they'll speak before they have something to say. I'd assume
> they've seen these posts, though if we knew that an MVP had seen these
> posts, it would make me feel better.
> --
> John Saunders
>
>
Hi,
I posted this code in another thread. It goes in the Global.aspx.vb file.
My systems are already patched so I can't test it, but for those out there
who aren't allowed to patch their systems or whose hosts haven't patched
their systems give it a spin and let me know if it works. Ken.
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim rPath As String = Request.RawUrl
rPath = rPath.Replace("\", "/")
Context.RewritePath(rPath)
End Sub
Ken Dopierala Jr.
For great ASP.Net web hosting try:
http://www.webhost4life.com/default.asp?refid=Spinlight
If you sign up under me and need help, email me.
"Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
news:908B02E5-8186-426A-8AB7-79C147F115EA@.microsoft.com...
> Agreed; I realized today that MS probably has an edict from on high that
they
> can't say anything until a patch is released for this. I don't know if
such
> a thing would extend to MVPs, but a simple "yep, on it" would be good
enough
> for now if that's all we can get.
> --
> Greg Hurlman
> ghurlman*AT*squaretwo*DOT*net
> http://blogs.squaretwo.net
> "John Saunders" wrote:
>
mitigating
as
http://blogs.squaretwo.net/PermaLin...6e-f2576fa2b0f1[color=d
arkred]
this,
0 comments:
Post a Comment