Re: MS05-004: Path vunerability still present in ASP.NET 2.0
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 7 Mar 2006 19:20:02 +0000 (UTC)
Hi,
unfortunately i cannot reproduce this behavior. can you give me more details -
i get redirected to the login page - my directory structure
/UrlAuthBug
default.aspx
login.aspx
/secure
default.aspx
the /secure dir is protected with UrlAuthorization
if i try
http://localhost/UrlAuthBug/secure/default.aspx
-> redirect to login.aspx
http://localhost/UrlAuthBug%5csecure/default.aspx
-> also redirect
(i didn't use IE to try it - i used fiddler and firefox)
is something different in your setup??
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Thanks for your reply.
I was suprised to get this report also - but I have verified that it
does
indeed exist on this ASP.NET 2.0 web site hosted on a W2003 SP2 IIS
server.
Let me know if you find anything.
"Dominick Baier [DevelopMentor]" wrote:
Hi,
i know that this was the original behavior - this vulnerability never
existed on Windows 2003/IIS6 because IIS sanitized the input...
i have to check that.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
The server O/S is W2003 SP2 (IIS 6.0)
The exploit is:
You have a sub-folder on your web site called something like
'Secure'.
You
use Forms Authenticatiuon to force authentication before any pages
from this
folder can be accessed.
All is OK if the user accesses
http://myserver/myapp/secure/mypage.aspx
ASP.NET picks-up the authentication / authorization and re-directs.
However, if you replace one of the slashes with it's hex code %5C
e.g.
http://myserver/myapp%5Csecure/mypage ASP.NET fails to recognise it
should be
secured and lets the user in.
This is detailed in the KB article I mentioned in my original post.
"Dominick Baier [DevelopMentor]" wrote:
Hi,
can you give us more details...
which OS? Details of the Exploit?
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
http://support.microsoft.com/kb/887219 details a vunerability for
all ASP.NET web sites that uee Forms Authentication. However, it
only lists .NET 1.0 and 1.1
Today I've received a report from a third party doing penetration
testing on a web site we developed in ASP.NET 2.0 detailling this
as a vunerability. I've double checked and it indeed is. We have
a common base class that simply throws a default error page if the
user isn't authenticated so our app is OK but the report going to
our clients doesn't look very good!
I thought in ASP.NET 2.0 the fix for this problem was going to be
'baked-in' - it appears not.
Are there any similar patches to those detiled in the security
bulletin mentioned above?
Thanks
Richard
.
- Follow-Ups:
- Re: MS05-004: Path vunerability still present in ASP.NET 2.0
- From: Richard Eke
- Re: MS05-004: Path vunerability still present in ASP.NET 2.0
- References:
- Re: MS05-004: Path vunerability still present in ASP.NET 2.0
- From: Richard Eke
- Re: MS05-004: Path vunerability still present in ASP.NET 2.0
- Prev by Date: Re: Can't get ActiveDirectoryMembershipProvider to work
- Next by Date: http request and asp.net 2.0
- Previous by thread: Re: MS05-004: Path vunerability still present in ASP.NET 2.0
- Next by thread: Re: MS05-004: Path vunerability still present in ASP.NET 2.0
- Index(es):
Relevant Pages
|
