ASP.Net Vulnerability and SharePoint

UPDATE 09/28/10: Check out new security bulletin to download updates https://www.microsoft.com/technet/security/bulletin/MS10-070.mspx

You may have already read these articles. If not, please do it right now.

https://www.microsoft.com/technet/security/advisory/2416728.mspx

https://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

I will not repeat the message in those posts, but you should follow the instructions to prevent potential attacks.

So how about SharePoint Server 2007 and WSS 3.0? It’s not on SharePoint Team Blog (yet).

You may need to follow the workaround for ASP.Net 1.0~3.5:

  • Put error.html in %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\12\template\layouts
  • Modify web.config in each directory under %SystemDrive%\inetpub\wwwroot\wss\virtualdirectories to have a customerror section like this: <customErrors mode="On" defaultRedirect="/_layouts/error.html" />
  • IISRESET /NOFORCE

Update: 2007/WSS3 is not vulnerable to the attack. No workaround is needed right now, but you still need to apply the fix when it come out.

Please follow the updated SP team blog post for 2007 issue:

https://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

How to validate? Can I type in some non-existing pages to test if web.config changes work on SharePoint?

The answer would be no. When you try to access a non-existing page on a SharePoint site with a modified web.config you will still have 404 codes. But SharePoint has its own custom error handler to generate those 404s for non-existing pages, which will not be able to be used directly by the attack. The workaround will be able to prevent error codes from being generated by accessing certain ASP.Net resources, and it would work if you followed the steps correctly.

Just remember, the ultimate solution is the upcoming ASP.Net fix. This workaround is just temporary, get you protection before the patch is released. Once it’s released, apply the fix and then restore your web.config to the original ones.

Jie

Comments

  • Anonymous
    September 21, 2010
    That's odd. Doesn't SP2010 also have custom error handler. I'm surprised but releaved that SP2007 is not vulnerable. I still don't fully understand why it's not.

  • Anonymous
    September 21, 2010
    Just got updated from our security folks - there's a chance for 2007 to be attacked, please follow the updated post on SharePoint team blog to implement the workaround.

  • Anonymous
    February 23, 2011
    http://www.deecoup.com Secure Software Development Application

  • Anonymous
    May 15, 2011
    The comment has been removed

  • Anonymous
    July 26, 2011
    I want to get some <a href="www.facebookstatus123.com/.../hilarious-facebook-status">hilarious facebook status</a> great experience this summer. if so, be sure to explain that. Your cover letter will make a difference in getting the internship

  • Anonymous
    July 26, 2011
    I want to get some <a href="www.facebookstatus123.com/.../hilarious-facebook-status">hilarious facebook status</a> great experience this summer. if so, be sure to explain that. Your cover letter will make a difference in getting the internship

  • Anonymous
    August 10, 2011
    Very helpful post. Very clear commentary and suggested phrasing are most impressive, as are his and your generosity in sharing this explanation and example. www.testbells.com/646-364.html

  • Anonymous
    October 20, 2011
    I Didnot got what u said.... www.getfacebookbanners.com for more..

  • Anonymous
    November 13, 2011
    Hello I Really Like Your Post. For Those Who Enjoy Statuses On Facebook, We're Just Trying To Make New Status And You Can Also Get Latest Statuses From <a href="www.123status.com/">Facebook Status</a>.

  • Anonymous
    December 26, 2011
    Hello No doubt you upload a great article for readers. I really appropriate, Please keep sharing informative stuff. Regard http://www.mystatuses.com/

  • Anonymous
    January 18, 2012
    Thanks For Giving Us Such Wonderful Knowledge. Lots of Facebook Status ideas to make your facebook wall more interesting. These Facebook Statuses can be updated on your wall within few clicks from http://www.123status.com/.

  • Anonymous
    March 21, 2012
    I want to implement the same technique for my site too at http://ifacebookstatus.com/

  • Anonymous
    May 30, 2012
    The latest vulnerabilities in Microsoft SharePoint that I read was about allowing elevation of privilege. According to technet, the affected programs are Microsoft SharePoint Server 2010 and Microsoft SharePoint Server 2010 Service Pack 1. Thanks, Arun http://arunsan.com

  • Anonymous
    August 20, 2012
    The comment has been removed