Re: ASP.Net vulnerability

• Previous message: John Galt: "Microsoft Knowledge Base Article - 887459"
• In reply to: Steve Shockley: "ASP.Net vulnerabillity"
• Next in thread: Russ: "Re: ASP.Net vulnerability"
• Maybe reply: Russ: "Re: ASP.Net vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 7 Oct 2004 09:34:01 -0600
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

BugTraqers,

There was lively discussion about the ASP.net vulnerability on the IIS
discussion lists at iislists.com yesterday. I've had conversations with IIS
support and the IIS team. The nut of it is that that all ASP.net
applications need to be modified per the instructions immediately.

Regardless of what you may read elsewhere, the update needs to be applied
regardless of the type of authentication used in the asp.net application.
The modifications Microsoft published are not a best practice or a
suggestion - but an essential security fix to put in place till an update to
asp.net is prepared. Disabling parent paths will not solve the problem and
I'm guessing that URLScan is not a complete solution either.

The only exception I know about is if you aren't using asp.net. In other
words, if you are only delivering static pages or classic asp, then you're
not at risk as the request has to be handled by the asp.net ISAPI. However
any website delivering ASP.net content needs to be updated ASAP.

Brett Hill
IIS MVP
IIStraining.com

--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

• Previous message: John Galt: "Microsoft Knowledge Base Article - 887459"
• In reply to: Steve Shockley: "ASP.Net vulnerabillity"
• Next in thread: Russ: "Re: ASP.Net vulnerability"
• Maybe reply: Russ: "Re: ASP.Net vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: My forms are not working - can anyone help me - PLEASE? ... It appears your extensions are not installed correctly or are corrupt. ... regardless if you are using IIS or Unix. ... (microsoft.public.frontpage.extensions.windowsnt) Re: The page is not found (replying only?!) ... however i recall reading somewhere that IIS 6 ... might have some built in functionality? ... regardless, this *was* working, it got borked when i ... (microsoft.public.inetserver.iis) Re: I need the same pages to come up regardless of which domain name is used ... Do you have any host header settings defined in IIS? ... you shouldn't need any) it should serve your pages regardless of what name ... I am running Widows Server 2003 with IIS 6.0. ... (microsoft.public.inetserver.iis.security) Re: XP stn logon to IIS 5 ... if you are using windows XP to host a webserver, regardless of your problem ... > A station XP that logon properly on NT domain tries to connect> automatically to a IIS 5 server using the "match NT logon" passtrough> feature ... > But the xp user access is denied on IIS although the XP user is well> connected to the Nt domain. ... > This problem occurs only with the XP station. ... (microsoft.public.windowsxp.security_admin) Re: Copy privs from one folder to another ? ... except do not put this on the IIS team. ... What you experience is totally due to the FPSE which back then ... turn to do something about the FPSE permissioning embarassment. ... (microsoft.public.win2000.security)