[NT] Microsoft ASP.NET Request Validation Bypass Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 09/15/03

  • Next message: SecuriTeam: "[REVS] GPRS Wireless Security: Not Ready For Prime Time" 
    To: list@securiteam.com
Date: 15 Sep 2003 16:23:12 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft ASP.NET Request Validation Bypass Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability has been reported in ASP.NET, which can be exploited by
    malicous people to bypass the "Request Validation" security mechanism.

    DETAILS

    Vulnerable systems:
     * ASP.Net version 1.1

    The "Request Validation" mechanism designed to protect against Cross-Site
    Scripting and SQL injection allows restricted tags when they include a
    NULL byte. However, this is a problem since some browsers (e.g. Internet
    Explorer) ignore NULL bytes when parsing input, which may cause them to
    execute the content in the tags anyway.

    Example:
    <%00SCRIPT>alert(document.cookie)</SCRIPT>

    The vulnerability has been reported in the ASP.Net 1.1 framework.

    Solution:
    Don't rely on this security mechanism to protect against Cross-Site
    Scripting and SQL injection attacks. Make sure that proper input
    validation is built into web applications.

    ADDITIONAL INFORMATION

    The information has been provided by WebCohort Research.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] GPRS Wireless Security: Not Ready For Prime Time"

    Relevant Pages