ASP.Net May Disclose Objects in the Application Folder to Remote Users
|
|
SecurityTracker Alert ID: 1016465 |
|
SecurityTracker URL: http://securitytracker.com/id/1016465
|
|
CVE Reference:
CVE-2006-1300
(Links to External Site)
|
Date: Jul 11 2006
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.0
|
Description:
A vulnerability was reported in ASP.Net. A remote user may be able to access objects in the Application folder.
The software does not properly validate user-supplied URLs. A remote user can bypass ASP.Net security to gain unauthorized access to objects in the Application folder. The remote user must specify the name of the object to gain access to that object.
Microsoft credits Urs Eichmann of PRISMA Informatik with reporting this vulnerability.
|
Impact:
A remote user can gain read access to objects in the Application folder.
|
Solution:
The vendor has issued the following update:
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1
A restart is not required.
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms06-033.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms06-033.mspx (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 11 Jul 2006 13:31:40 -0400
Subject: ASP.net
|
http://www.microsoft.com/technet/security/bulletin/ms06-033.mspx
CVE-2006-1300
|
|
