ASP 101 - Active Server Pages 101 - Web04
The Place ASP Developers Go!

Please visit our partners

Windows Technology Windows Technology
15 Seconds
ASP 101
ASP Wire
VB Forums
VB Wire
internet.commerce internet.commerce
Partners & Affiliates

ASP 101 is an site
ASP 101 is an site
Internet News
Small Business
Personal Technology

Corporate Info
Tech Jobs
E-mail Offers

ASP 101 News Flash ASP 101 News Flash

 Top ASP 101 Stories Top ASP 101 Stories
Getting Scripts to Run on a Schedule
The Top 10 ASP Links @
What is and Why Do I Need It?

Switch to Fewer Colors Before Capturing Images
Show All Tips >>
ASP 101 RSS Feed ASP 101 Updates

Important Information About an ASP.NET Vulnerability

by John Peterson

Microsoft has released a patch that is meant to help protect against a reported vulnerability in ASP.NET. It's recommended that ASP.NET users either install the patch or implement the previously-published workaround to prevent unauthorized Web site visitors from viewing secured content.

From Microsoft:

Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET. Reports have indicated that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Our initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components.

Microsoft strongly advises, as a preventative measure, that all Web content owners and administrators who are running any version of ASP.NET immediately read and implement one of the suggestions made in the Microsoft Knowledge Base articles listed on this page.

With the release of this patch, there are currently two different fixes available: a workaround and the patch.

The workaround consists of code that, while quite simple, needs to be added to every application's Global.asax file. This can be troublesome to implement and does not prevent the problem in future applications. Therefore, unless you have a specific reason to choose the workaround route, I'd recommend using the patch.

The patch is available as a free download from Microsoft's site. It's basically just an HTTP module called ValidatePath which is distributed as an .msi package. It installs quickly and easily without requiring a reboot or web server restart and I've yet to hear of anyone having any problems with it.

You can find more information about the vulnerability and the different approaches to eliminating it from the links below:


Home |  News |  Samples |  Articles |  Lessons |  Resources |  Forum |  Links |  Search |  Feedback
The Network for Technology Professionals



Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers