RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: Tim Farley (tfarley_at_spidynamics.com)
Date: 05/03/05
- Previous message: cybertronic_at_gmx.net: "dSMTP - SMTP Mail Server 3.1b Linux Remote Root Format String Exploit"
- Maybe in reply to: Michal Zalewski: "ASP.NET __VIEWSTATE crypto validation prone to replay attacks"
- Next in thread: Michal Zalewski: "Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 3 May 2005 12:58:33 -0400 To: <bugtraq@securityfocus.com>
Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property "ViewStateUserKey" to the System.Web.UI.Page class in .NET Framework 1.1. The documentation for this property is here:
Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed into this property. As we all know, this is exactly the sort of detail that developers often forget or flub, with disastrous results.
--Tim Farley
SPI Dynamics
Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.
- Previous message: cybertronic_at_gmx.net: "dSMTP - SMTP Mail Server 3.1b Linux Remote Root Format String Exploit"
- Maybe in reply to: Michal Zalewski: "ASP.NET __VIEWSTATE crypto validation prone to replay attacks"
- Next in thread: Michal Zalewski: "Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
