(Microsoft Has Issues a Workaround) Microsoft .NET Forms Authentication Can Be Bypassed By Remote Users
|
|
SecurityTracker Alert ID: 1012160 |
|
SecurityTracker URL: http://securitytracker.com/id/1012160
|
|
CVE Reference:
CAN-2004-0847
(Links to External Site)
|
Date: Nov 10 2004
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Microsoft .NET in the forms authentication. A remote user can bypass the authentication process.
In September 2004, Toby Beaumont reported that a remote user can supply an HTTP GET request with a specially crafted URL that contains a backslash instead of a forward slash to gain access to the requested resource without having to authenticate.
An demonstration exploit example URL is of the following format:
http://[target]/secure\somefile.aspx
|
Impact:
A remote user can gain access to restricted resources without having to authenticate.
|
Solution:
Microsoft confirms that all versions of ASP.NET may be affected, regardless of the version of ISS that is used. As a workaround, Microsoft advises that you read the following article and associated Knowledge Base articles:
http://www.microsoft.com/security/incident/aspnet.mspx
Microsoft has released an HTTP module to assist in deploying a configuration that ensures proper canonicalization of URLs. The Microsoft ASP.NET ValidatePath module (VPModule.msi) is available at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA77B852-DFA0-4631-AAF9-8BCC6C743026
Information on how to install and deploy this module is provided in Microsoft Knowledge Base Article 887289, "HTTP Module to Check for Canonicalization Issues with ASP.NET," available at:
http://support.microsoft.com/kb/887289
There is also a scanning tool to test whether this ValidatePath module is installed. The Microsoft ASP.NET ValidatePath module scanner (VPModuleScanner.js) is available at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE7366F5-82A1-444F-9EBC-D70B6C8830DD
|
Vendor URL: www.microsoft.com/security/incident/aspnet.mspx (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 9 Nov 2004 20:56:27 -0500
Subject: http://www.microsoft.com/security/incident/aspnet.mspx
|
Microsoft confirms that all versions of ASP.NET may be affected, regardless of the
version of ISS that is used.
As a workaround, Microsoft advises that you read the following article and
associated Knowledge Base articles:
http://www.microsoft.com/security/incident/aspnet.mspx
Microsoft has released an HTTP module to assist in deploying a configuration that
ensures proper canonicalization of URLs. The Microsoft ASP.NET ValidatePath module
(VPModule.msi) is available at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA77B852-DFA0-4631-AAF9-8BCC6C743026
Information on how to install and deploy this module is provided in Microsoft
Knowledge Base Article 887289, "HTTP Module to Check for Canonicalization Issues
with ASP.NET," available at:
http://support.microsoft.com/kb/887289
There is also a scanning tool to test whether this ValidatePath module is installed.
The Microsoft ASP.NET ValidatePath module scanner (VPModuleScanner.js) is available at:
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE7366F5-82A1-444F-9EBC-D70B6C8830DD
|
|
