ASP 101 - Active Server Pages 101 - Web04
The Place ASP Developers Go!

Please visit our partners


Windows Technology Windows Technology
15 Seconds
4GuysFromRolla.com
ASP 101
ASP Wire
VB Forums
VB Wire
WinDrivers.com
internet.commerce internet.commerce
Partners & Affiliates














ASP 101 is an
internet.com site
ASP 101 is an internet.com site
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

ASP 101 News Flash ASP 101 News Flash



 Top ASP 101 Stories Top ASP 101 Stories
Getting Scripts to Run on a Schedule
The Top 10 ASP Links @ Microsoft.com
What is Adovbs.inc and Why Do I Need It?

QUICK TIP:
Switch to Fewer Colors Before Capturing Images
Show All Tips >>
ASP 101 RSS Feed ASP 101 Updates


Important Information About an ASP.NET Vulnerability

by John Peterson

Microsoft has released a patch that is meant to help protect against a reported vulnerability in ASP.NET. It's recommended that ASP.NET users either install the patch or implement the previously-published workaround to prevent unauthorized Web site visitors from viewing secured content.

From Microsoft:

Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET. Reports have indicated that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Our initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components.

Microsoft strongly advises, as a preventative measure, that all Web content owners and administrators who are running any version of ASP.NET immediately read and implement one of the suggestions made in the Microsoft Knowledge Base articles listed on this page.

With the release of this patch, there are currently two different fixes available: a workaround and the patch.

The workaround consists of code that, while quite simple, needs to be added to every application's Global.asax file. This can be troublesome to implement and does not prevent the problem in future applications. Therefore, unless you have a specific reason to choose the workaround route, I'd recommend using the patch.

The patch is available as a free download from Microsoft's site. It's basically just an HTTP module called ValidatePath which is distributed as an .msi package. It installs quickly and easily without requiring a reboot or web server restart and I've yet to hear of anyone having any problems with it.

You can find more information about the vulnerability and the different approaches to eliminating it from the links below:

Links


Home |  News |  Samples |  Articles |  Lessons |  Resources |  Forum |  Links |  Search |  Feedback

Internet.com
The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers