[NT] ASP.NET Session Information Leakage

From: support@securiteam.com
Date: 02/22/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 22 Feb 2002 22:52:00 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ASP.NET Session Information Leakage
------------------------------------------------------------------------

SUMMARY

When writing/debugging an ASP.NET system, you can set up a Trace parameter
in your Web Application configuration - this gives you a detailed session
breakdown of each HTTP GET/POST handled by your app. This is useful when
you are debugging your ASP.NET system. However many ASP writes forget to
disable this parameter leaving their server open to exposure of sensitive
information.

DETAILS

When building an ASP.NET app, it creates a file called WebConfig, which is
your ASP site's configuration file in XML format. One of the options in
there is a TRACE (which can be set to true or false), which in turn
creates a file called TRACE.AXD. This file is publicly browsable from IE
- and many administrators/developers do not seem to disable the trace
option when they put the sites into production mode.

Example:
Request Details

Session Id: Request Type: POST
Time of Request: 2/13/2002 10:39:32 PM Status Code: 302
Request Encoding: Unicode (UTF-8) Response Encoding: Unicode (UTF-8)
Trace Information
Category Message From First(s) From Last(s)
aspx.page Begin Init
aspx.page End Init 0.000127 0.000127
aspx.page Begin LoadViewState 0.000170 0.000043
aspx.page End LoadViewState 0.001324 0.001154
aspx.page Begin ProcessPostData 0.001394 0.000070
aspx.page End ProcessPostData 0.001568 0.000175
aspx.page Begin ProcessPostData Second Try 0.207433 0.205864
aspx.page End ProcessPostData Second Try 0.207515 0.000082
aspx.page Begin Raise ChangedEvents 0.207546 0.000031
aspx.page End Raise ChangedEvents 0.207580 0.000034
aspx.page Begin Raise PostBackEvent 0.207611 0.000031
Control Tree
Control Id Type Render Size Bytes (including children) Viewstate Size
Bytes (excluding children)
Cookies Collection
Name Value Size
MSPAuth
1QNVodOH0D8DV7u8GxpRvPWsMplOqCyg*Kmn!Tu9NpcdiZ7MbTyd2mVHSXXhOtalutpluZyLdkR
KdpNd6F45PasQ$$ 98
MSPProf
1QNVodOH0GgESz58gJzsJDrYuVEc4eSBvLbbzrNMegM2F59LQ0Txe!lLfEkfwHHzgzDs7jOfUFgOs
kYxu1rFKmKdETvbwD4NhpAQ07Vzz52!Q77Ca0ZJY1qPDHZEZ6FxAXd7I5yhSIJnw$ 150
ASP.NET_SessionId rfgmk545aee3iz45li2yfp3e 42
Headers Collection
Name Value
Cache-Control no-cache
Connection Keep-Alive
Content-Length 4181
Content-Type application/x-www-form-urlencoded
Accept image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Encoding gzip, deflate
Accept-Language en-us
Cookie
MSPAuth=1QNVodOH0D8DV7u8GxpRvPWsMplOqCyg*Kmn!Tu9NpcdiZ7MbTyd2mVHSXXhOtalut
pluZyLdkRKdpNd6F45PasQ$$;
MSPProf=1QNVodOH0GgESz58gJzsJDrYuVEc4eSBvLbbzrNMegM2F59L
Q0Txe!lLfEkfwHHzgzDs7jOfUFgOskYxu1rFKmKdETvbwD4NhpAQ07Vzz52!Q77Ca0ZJY1qPDHZEZ6FxAX
d7I5yhSIJnw$
Host www.vulnerablehost.com
Referer http://www.vulnerablehost.com/public_pages.aspx
User-Agent Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Form Collection
Name Value
__EVENTTARGET rpMembers:_ctl0:hlPubPgsUpdated
__EVENTARGUMENT
__VIEWSTATE
dDwzMzk0NjU3Nzk7dDw7bDxpPDQ+Oz47bDx0PDtsPGk8MD47aTw1PjtpPDY+O2k8Nz47aTw4Pjt
pPDk+O2k8MTQ+O2k8MTU+O2k8MTc+Oz47bDx0PDtsPGk8Mj47aTw2PjtpPDE2Pjs+O2w8dDxw
PHA8bDxUZXh0Oz47bDxcPEEgSFJFRj0iaHR0cDovL2xvZ2luLnBhc3Nwb3J0LmNvbS9sb2dvdXQ
uc3JmP2xjPTEwMzMmaWQ9Njk2NSZydT1odHRwOi8vd3d3LmRldmhvb2QuY29tL2RlZmF1bHQuY
XNweCZ0dz0xNDQwMCZrdj0xJmN0PTEwMTM2NTc5NjkmZW1zPTEmc2VjbG9nPTEwJnZlcj0yLjA
uMDIzOS4xJnRwZj1jMjRhZWY2MDJhZGY2NWI5YzgzODU2ODc4ZGEyMzcwYiJcPlw8SU1HIFNS
Qz0iaHR0cDovL3d3dy5wYXNzcG9ydGltYWdlcy5jb20vMTAzMy9zaWdub3V0LmdpZiIgQ0xBU1M9Il
Bhc3Nwb3J0U2lnbk91dCIgQk9SREVSPSIwIiBBTFQ9IlNpZ24gb3V0IG9mIC5ORVQgUGFzc3Bvcn
Qgc2l0ZXMiL1w+XDwvQVw+Oz4+Oz47Oz47dDxwPGw8VmlzaWJsZTs+O2w8bzx0Pjs+PjtsPGk8M
D47PjtsPHQ8O2w8aTwxPjs+O2w8dDw7bDxpPDE+Oz47bDx0PDtsPGk8MD47aTwyPjs+O2w8dDw
7bDxpPDA+O2k8MT47PjtsPHQ8O2w8aTwwPjtpPDE+O2k8Mj47PjtsPHQ8O2w8aTwxPjs+O2w8dD
xwPHA8bDxUZXh0Oz47bDw0NTs+Pjs+Ozs+Oz4+O3Q8O2w8aTwxPjs+O2w8dDxwPHA8bDxJbWF
nZVVybDs+O2w8L3JhdGluZ3MvaW1hZ2VzL2RyYXduL3NvbGRpZXJfMS5naWY7Pj47Pjs7Pjs+Pjt0
PDtsPGk8MT47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8c29sZGllcjs+Pjs+Ozs+Oz4+Oz4+O3Q8O2w8
aTwxPjs+O2w8dDw7bDxpPDE+Oz47bDx0PHA8cDxsPFRleHQ7PjtsPGxldmVsOiAxMDs+Pjs+Ozs+O
z4+Oz4+Oz4+O3Q8cDxwPGw8SW1hZ2VVcmw7PjtsPC9yYXRpbmdzL2ltYWdlcy9kcmF3bi9zb2xka
WVyXzEuZ2lmOz4+Oz47Oz47Pj47Pj47Pj47Pj47dDxwPHA8bDxOYXZpZ2F0ZVVybDs+O2w8L3ZpZ
Xdfc291cmNlLmFzcHg/c291cmNlPS9wdWJsaWNfcGFnZXMuYXNweDs+Pjs+Ozs+Oz4+O3Q8O2w
8aTwxPjs+O2w8dDxwPHA8bDxUZXh0O05hdmlnYXRlVXJsOz47bDxHbyB0byBNeSBTY2hvb2wncy
BNZW1iZXIgRGlyZWN0b3J5Oy9wdWJsaWNfcGFnZXMuYXNweD9zY2hvb2xfaWQ9MTc1Mjs+Pjs
+Ozs+Oz4+O3Q8cDxwPGw8VGV4dDs+O2w8MTs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8MT
A7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPDU2MjU7Pj47Pjs7Pjt0PHA8cDxsPEVuYWJsZWQ7PjtsPG
88Zj47Pj47Pjs7Pjt0PHA8bDxfIUl0ZW1Db3VudDs+O2w8aTwxMD47Pj47bDxpPDE+O2k8Mj47aTwz
PjtpPDQ+O2k8NT47aTw2PjtpPDc+O2k8OD47aTw5PjtpPDEwPjs+O2w8dDw7bDxpPDA+Oz47bDx
0PEA8L3JhdGluZ3MvaW1hZ2VzL2RyYXduL3BlYXNhbnRfMS5naWY7MDAwMTE2QTc0QzM0QT
AyNjstOy07cGhyaXN0ZWR0QGhvdG1haWwuY29tO3BocmlzdGVkdEBob3RtYWlsLmNvbTswOzEv
MTIvMjAwMjtcZTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPC9yYXRpbmdzL2ltYWdlcy9kcmF3
bi9wZWFzYW50XzEuZ2lmOzAwMDM3RkZFODBFMTQ1RDY7IEI7IE47IEJATi5jb207IEJATi5jb207
MDsxMi80LzIwMDE7XGU7Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8QDwvcmF0aW5ncy9pbWFnZXM
vZHJhd24vc29sZGllcl8zLmdpZjswMDAxNjE2MDk3NkNCNzg3OyQhKkpvc2h3YTtTbG9wZSohJDtq
c2xvcGVAc2hvbC5jb207anNsb3BlQHNob2wuY29tOzIwNzsxLzExLzIwMDI7XGU7Pjs7Pjs+Pjt0PDts
PGk8MD47PjtsPHQ8QDwvcmF0aW5ncy9pbWFnZXMvZHJhd24vcGVhc2FudF8xLmdpZjswMDAz
N0ZGRTgxNTM1RDBGOy47Ljtub2p1bmtAaG90bWFpbC5jb207bm9qdW5rQGhvdG1haWwuY29tO
zA7Mi81LzIwMDI7VW5pdmVyc2l0eSBvZiBXYXRlcmxvbzs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8d
DxAPC9yYXRpbmdzL2ltYWdlcy9kcmF3bi9zb2xkaWVyXzEuZ2lmOzAwMDEwQjA3NEMzMDVENUY
7LiBWaWRhbDsuO3ZpZGFscGFpbnRiYWxsQGhvdG1haWwuY29tO3ZpZGFscGFpbnRiYWxsQGh
vdG1haWwuY29tOzQwOzIvMy8yMDAyO1VQUk07Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8QDwvcm
F0aW5ncy9pbWFnZXMvZHJhd24vcGVhc2FudF8yLmdpZjswMDAxNkUzMEZBRjE4MERFOzopO0
hpY2tzO2pkcmlzY29sbDI2QGhvdG1haWwuY29tO2pkcmlzY29sbDI2QGhvdG1haWwuY29tOzE7M
TIvMjMvMjAwMTtcZTs+Ozs+Oz4+O3Q8O2w8aTwwPjs+O2w8dDxAPC9yYXRpbmdzL2ltYWdlcy9kc
mF3bi9wZWFzYW50XzEuZ2lmOzAwMDNCRkZEODA2OTMyNDM7Pzs/PztiaXRfZmxkQDI2My5uZ
XQ7Yml0X2ZsZEAyNjMubmV0OzA7MS8yOS8yMDAyO1xlOz47Oz47Pj47dDw7bDxpPDA+Oz47bDx
0PEA8L3JhdGluZ3MvaW1hZ2VzL2RyYXduL3BlYXNhbnRfMS5naWY7MDAwMTE0QTc0QzJFN0Y
1Qjs/Pz8/Oz8/O21fY2hvaUBob3RtYWlsLmNvbTttX2Nob2lAaG90bWFpbC5jb207MDsyLzEwLzIwM
DI7XGU7Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8QDwvcmF0aW5ncy9pbWFnZXMvZHJhd24vcGVh
c2FudF8xLmdpZjswMDAxMEJDNzU4NzNCNzVFO2E7cztqb25tYWxkYUBob3RtYWlsLmNvbTtqb25
tYWxkYUBob3RtYWlsLmNvbTswOzExLzE0LzIwMDE7XGU7Pjs7Pjs+Pjt0PDtsPGk8MD47PjtsPHQ8
QDwvcmF0aW5ncy9pbWFnZXMvZHJhd24vcGVhc2FudF8xLmdpZjswMDAxNkUwMEY0N0ExNDI
4O2E7Yjt2YW5pdGFzX3BsQGhvdG1haWwuY29tO3Zhbml0YXNfcGxAaG90bWFpbC5jb207MDsxMi
8yMi8yMDAxO1xlOz47Oz47Pj47Pj47dDxwPHA8bDxFbmFibGVkOz47bDxvPGY+Oz4+Oz47Oz47dD
w7bDxpPDM+Oz47bDx0PHA8cDxsPFRleHQ7PjtsPDU2Mzs+Pjs+Ozs+Oz4+Oz4+Oz4+O2w8YWRk
dG86X2N0bDE7Pj6smpBk2AX2qKZVcRf66r+Q5GWJog==
_ctl1:txtSearch
_ctl1:ddlSearch all
tbPage 1
Server Variables
Name Value
ALL_HTTP HTTP_CACHE_CONTROL:no-cache HTTP_CONNECTION:Keep-Alive
HTTP_CONTENT_LENGTH:4181
HTTP_CONTENT_TYPE:application/x-www-form-urlencoded HTTP_ACCEPT:image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
HTTP_ACCEPT_ENCODING:gzip, deflate HTTP_ACCEPT_LANGUAGE:en-us
HTTP_COOKIE:MSPAuth=1QNVodOH0D8DV7u8GxpRvPWsMplOqCyg*Kmn!Tu9NpcdiZ7MbTyd2
mVHSXXhOtalutpluZyLdkRKdpNd6F45PasQ$$;
MSPProf=1QNVodOH0GgESz58gJzsJDrYuVEc4eSBvLbbzrNMegM2F59LQ0Txe!lLfEkfwHHzgzDs7j
OfUFgOskYxu1rFKmKdETvbwD4NhpAQ07Vzz52!Q77Ca0ZJY1qPDHZEZ6FxAXd7I5yhSIJnw$
HTTP_HOST:www.vulnerablehost.com
HTTP_REFERER:http://www.vulnerablehost.com/public_pages.aspx
HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
ALL_RAW Cache-Control: no-cache Connection: Keep-Alive Content-Length:
4181 Content-Type: application/x-www-form-urlencoded Accept: image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */* Accept-Encoding:
gzip, deflate Accept-Language: en-us Cookie:
MSPAuth=1QNVodOH0D8DV7u8GxpRvPWsMplOqCyg*Kmn!Tu9NpcdiZ7MbTyd2mVHSXXhOtalut
pluZyLdkRKdpNd6F45PasQ$$;
MSPProf=1QNVodOH0GgESz58gJzsJDrYuVEc4eSBvLbbzrNMegM2F59LQ0Txe!lLfEkfwHHzgzDs7j
OfUFgOskYxu1rFKmKdETvbwD4NhpAQ07Vzz52!Q77Ca0ZJY1qPDHZEZ6FxAXd7I5yhSIJnw$
Host: www.vulnerablehost.com Referer:
http://www.vulnerablehost.com/public_pages.aspx User-Agent: Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)
APPL_MD_PATH /LM/W3SVC/1/ROOT
APPL_PHYSICAL_PATH c:\vulnerablehost-beta2-website\
AUTH_TYPE
AUTH_USER
AUTH_PASSWORD
LOGON_USER
REMOTE_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 4181
CONTENT_TYPE application/x-www-form-urlencoded
GATEWAY_INTERFACE CGI/1.1
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID 1
INSTANCE_META_PATH /LM/W3SVC/1
LOCAL_ADDR 18.92.0.166
PATH_INFO /public_pages.aspx
PATH_TRANSLATED c:\vulnerablehost-beta2-website\public_pages.aspx
QUERY_STRING
REMOTE_ADDR *** Obfuscated to stop the kiddies, but yes, it gives the IP
of who visited the site in this session :) ***
REMOTE_HOST *** Obfuscated to stop the kiddies, but yes, it gives the IP
of who visited the site in this session :) ***
REQUEST_METHOD POST
SCRIPT_NAME /public_pages.aspx
SERVER_NAME www.vulnerablehost.com
SERVER_PORT 80
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE Microsoft-IIS/5.0
URL /public_pages.aspx
HTTP_CACHE_CONTROL no-cache
HTTP_CONNECTION Keep-Alive
HTTP_CONTENT_LENGTH 4181
HTTP_CONTENT_TYPE application/x-www-form-urlencoded
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
HTTP_ACCEPT_ENCODING gzip, deflate
HTTP_ACCEPT_LANGUAGE en-us
HTTP_COOKIE
MSPAuth=1QNVodOH0D8DV7u8GxpRvPWsMplOqCyg*Kmn!Tu9NpcdiZ7MbTyd2mVHSXXhOtalut
pluZyLdkRKdpNd6F45PasQ$$;
MSPProf=1QNVodOH0GgESz58gJzsJDrYuVEc4eSBvLbbzrNMegM2F59LQ0Txe!lLfEkfwHHzgzDs7j
OfUFgOskYxu1rFKmKdETvbwD4NhpAQ07Vzz52!Q77Ca0ZJY1qPDHZEZ6FxAXd7I5yhSIJnw$
HTTP_HOST www.vulnerablehost.com
HTTP_REFERER http://www.vulnerablehost.com/public_pages.aspx
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

ADDITIONAL INFORMATION

The information has been provided by
<mailto:rob@robcowell.worldonline.co.uk> Rob Cowell.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Windows Authorization
    ... I am running from IIS on the Windows 2003 Web Server Edition. ... This section sets the authorization policies of the ... Set trace enabled="true" to enable application trace logging. ... a session can be tracked by ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Windows Authorization
    ... The latter will use the credentials of the logged on user for running ... This section sets the authorization policies of the application. ... Application-level tracing enables trace log output for every page ... <!-- SESSION STATE SETTINGS ...
    (microsoft.public.dotnet.framework.aspnet)
  • whither user trace file?
    ... case) the trace will go to bdump destination. ... OLAP and Oracle Data Mining options ... SQL> create or replace trigger logon_trigger ... 'ALTER SESSION SET TRACEFILE_IDENTIFIER=''ORCLUSER'''; ...
    (comp.databases.oracle.server)
  • Windows Authorization
    ... I am trying to set up an intranet at work that will use our Active directory ... This section sets the authorization policies of the application. ... Application-level tracing enables trace log output for every page ... <!-- SESSION STATE SETTINGS ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Usercontrol events not fired, ProcessPostData Second Try present in trace
    ... What you're seeing (ProcessPostData Second Try) is totally normal. ... > I have a user control that encapsulates search functionality for a set of> pages in a website. ... > The only odd thing I have noticed is in the trace. ... > This is leading me to beleive that the postback data is becoming corrupted> somehow. ...
    (microsoft.public.dotnet.framework.aspnet)