ASP.NET Security Issue Posted

Tonight we posted some information and guidance around a reported security vulnerability in ASP.NET. The heart of the problem is a canonicalization issue in dealing with certain URLs. Check out the page here, and be sure to take a look at KB article 887459 if you're running an ASP.NET web site.

What You Should Know About a Reported Vulnerability in Microsoft ASP.NET

Microsoft is currently investigating a reported vulnerability in Microsoft ASP.NET. An attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This reported vulnerability exists in ASP.NET and does not affect ASP.

Remember that in North America you can receive no-charge help with security update issues or viruses by calling (866) PCSAFETY (727-2338). I'll post more on this issue as information becomes available.

Comments

• Anonymous
  October 06, 2004
  The hills are alive with the sound of music KB links echoed through blogosphere. As reported here here here here here here here here here here (and too many other places to mention), MS has released a bulletin regarding this vulnerability. If you want to correct the problem, you should add the code from KB article 887459 to your Global.asax (or Global.asax.cs or Global.asax.vb, as the case may be). I still recommend using more fine-grained security checks on each page like I mentioned earlier and that you run URLScan and IISLockdown (if you can). Or upgrade to IIS 6. Better yet, do all of the above.