Security bug in .NET Forms Authentication

From: Toby Beaumont (toby_at_CREATOR.CO.UK)
Date: 09/14/04

  • Next message: Brendon Rogers: "Office update, did it work?"
    Date:         Tue, 14 Sep 2004 12:42:28 +0100


    We believe we have discovered a serious flaw in .NET forms authentication
    when used to secure sub folders.

    A standard forms authentication setup requires the presence of "web.config"
    to set the authentication method and login procedure. The presence of this
    file prevents access to certain files (.aspx files for example) unless


    The webroot for your website is:


    You want to secure files in a sub directory "secure"


    A request to http://localhost/secure/somefile.aspx would then redirect the
    user to a predefined authentication page, as defined in web.config, before
    allowing the user access to "somefile.aspx".


    1. Using Mozilla not IE, you make a request to
    http://localhost/secure\somefile.aspx The use of a backslash rather than a
    forward slash appears to bypass the expected authentication model invoked in
    .NET forms authentication
    2. Using IE, you make a request to http://localhost/secure\somefile.aspx -
    IE automatically replaces the backslash "\" with a forward slash "/" and
    everything appears fine. However, replace the backslash "\" with %5C (%5C
    being hex value for \) and all is not so fine:
    Interestingly (and I guess now somewhat amusingly) Microsoft point out in
    the article "Design Guidelines for Secure Web Applications"
    "Be Careful with Canonicalization Issues:
    Data in canonical form is in its most standard or simplest form.
    Canonicalization is the process of converting data to its canonical form.
    File paths and URLs are particularly prone to canonicalization issues and
    many well-known exploits are a direct result of canonicalization bugs. For
    example, consider the following string that contains a file and path in its
    canonical form."
    And then goes on to define the exploit ;-)
    (Russ - I have not posted this message anywhere as yet, nor have I contacted
    Microsoft. If you indeed confirm this exploit, you are the first to know).
    Toby Beaumont
    Director of Technology
    This email and any attached files are for the exclusive use of the addressee
    and may contain privileged and/or confidential information. If you receive
    this email in error you should not disclose the contents to any other person
    nor take copies but should delete it and telephone us immediately.
    Creator makes no warranty as to the accuracy or completeness of this email
    and accepts no liability for its contents or use. Any opinions expressed in
    this email are those of the author and do not necessarily reflect the
    opinions of Creator. 
    If you or your employer does not consent to the receipt of emails of this
    kind then please notify us immediately.
    4 Grafton Mews
    W1T 5JE
    United Kingdom
    Tel: 020 7391 5151
    DDI: 020 7391 5128
    Fax: 020 7391 5152
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: Brendon Rogers: "Office update, did it work?"

    Relevant Pages

    • Re: PEAP-TLS vs EAP-TLS
      ... The documentation is correct in the order of being most secure though most ... confusing here is that EAP and EAP-TLS are not the same. ... does not allow authentication to be done in clear text. ... Take a look at "Securing Wireless LANs with Certificate Services" ...
    • Re: RE: Telnet/SSL v SSH
      ... My real question is which is better to secure the communication between them. ... I'm interested in authentication and non-repudiation if possible. ... >nearly the same robustness as SSH from the perspective of Authentication, ...
    • Re: PEAP-TLS vs EAP-TLS
      ... and PEAP is that PEAP is a two-step process where 1) the RADIUS server is ... authenticated to the client via the RADIUS server's certificate, ... encrypted TLS channel is set up for 2) client authentication (either using ... But I wonder how much more secure PEAP-TLS is than EAP-TLS, ...
    • Re: How do I prevent unauthorized ssh login attempts?
      ... public/private keys or username/password. ... The key word that I made sure to put in was 'remote'. ... With passphrases, it becomes a two-step authentication, one locally to unlock the private key, and one remotely to at least confirm that you have the other half of the key. ... you may know better than I do: is there a web page or blog somewhere that coalesces all the different things that should be done/are currently best-practice to secure a system? ...
    • Re: Login Page
      ... > I am looking for a way to make my website secure. ... > authentication tied into a login page. ... Dim strADsPath ... Tom Kaminski IIS MVP ...