Slashdot Mirror
Microsoft Issues Ominous ASP.Net Security Warning
An anonymous reader writes "A security flaw in Microsoft's ASP.NET apparently allows access to password-protected areas just by altering a URL. There's no patch yet, but in the meantime Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits. About 2.9 million web sites run on ASP.NET according to Netcraft." Some more links: another Microsoft article, NTBugtraq, K-Otik and Heise.
There's no patch yet, but in the meantime Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits.
.NET in all our websites. C-c-canon-ical-ization is what they are calling it."
And that's why Microsoft is going to eventually lose the war against open source. Can you imagine the heated boardroom discussions going around the table now?
Dilbert: "Microsoft says we need to pull 20 programmers away from their current workloads to focus on fixing ASP
Dogbert: "How long is this going to take? And who is making these words up anyway?"
Dilbert: "Two weeks." (I mean that's the standard response right?)
Dogbert: "Let's give all our programmers a holiday, effective yesterday. Shut the sites down in twenty minutes after I call our contact in Belize. It's time for EULA loophole #27. {{WAG!}}"
So do the math. And tell me, please, all ye Microsoft supporters, why Open Source lowers my ROI again!
The dangers of knowledge trigger emotional distress in human beings.
Oh, yeah. Companies now have to "rewrite their applications to prevent exploits" because of a security flaw in Microsoft's software? Would not it be simpler and easier for Microsoft's customers for Microsoft to fix the flaw? Hey, if I wanted to keep my customers happy, that is the course of action I would suggest. Look, you have 2.9 Million web sites out there that now have to go through and invest a number of hours or work to fix the problem. Let's say the fix is easy and only requires say, three hours to recode and test......that is how many hours of lost productivity to the world's GDP? 8.7 Million hours of lost productivity!
Visit Jonesblog and say hello.
And I thought register_globals was bad!
http://www.pr0nsite.com/loggedin.asp&sneaky&url&ba ckdoor
~S
From what I read on it on Bugtraq it appears to be one of the good old directory transversal flaws. E.G. if you don't have access to http://server/directory/file.asp you can simply go to http://server/directory\file.asp to access it. That or else use some unicode equivalent. Isn't it funny how Microsoft's leading edge Trustworthy Computing is still vulnerable to the same old sploits?
Ah, that's easy then. Do they have a suggestion for which web app platform and OS I should rewrite my apps for?
One line blog. I hear that they're called Twitters now.
This is the American corporate way: blame the victims!
Put the burden of fixing the problem on the end-users...
They don't have to worry. All the people with black hats will rewrite the code for them... Free of charge!
Try to hack my 31337 firewall!
In *any* server-side scripting language, you should doublecheck each string you get from an URL, POST, etc.
About 2.9 million web sites run on ASP.NET according to Netcraft.
It's official, Netcraft confirms: A whole lotta ASP .NET sites are dying ...
I guess when it is assumed that your OS is full of security holes, you can issue a press release that more or less just says, "Our security is sh*tty right now", expect everyone to just do a collective, "Yup", and shuffle off.
Asp.NOT or asp.Nyet!
and use asp2php as found on Freshmeat.
"Straddling the sword of technology..."
Or, better yet, go read yesterday's post about Mozilla security holes. Then you can flame, bash, and troll MS while at least feeling a little guilty about it.
I thought there already was an exploit like this and they had already fixed it. I get confused by these weekly security announcements.
Oh well, these developers might as well move their stuff to more secure platforms since they need to re-write it.
MS will keep their market domination as long as people have MS windows at home. People will keep MS at home as long as they needn't pay for Windows (either through OEM or piracy). THe day MS ***seriously*** cracks down on license thieves, will the market share move away.
Artificial intelligence is no match for natural stupidity
"If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. The technique may also work if a space is subsituted for the slash." Is it just me, or is this a bit too simple even for script kiddiz?
...why people refuse to use PHP. How far are you going to trust Microsoft to get it right? How many vulnerabilities does it take?
...at the MS campus near you! I wonder what MS folks will think of the *SPLOIT* sound of all those eggs hitting their Windows.
Anyone that's familiar with .Net has probably never used this technique to secure a page on their site.
I believe most people would consider it more secure to set up a virtual folder within your web site and protect the pages within that virtual folder with either Basic or Windows Integrated Authentication.
I've never used the web.config file technique to attempt to secure pages that really needed to be secure, and I doubt many other people have either. If you did without taking any other security steps, well... time to re-think that situation.
This security vulnerability will prove to be a dud; nothing along the lines of the old ::$DATA exploits and what-not.
I'm a big tall mofo.
In typical anti-MS slashdotter bullshit, the use of the word "re-write" is used quite liberally. A grand total of four lines of code are required per application so no matter how bog the web site is, only four lines of code (typed once in a single source code file) take care of the problem:
By the way, these 4 lines of code can be made into one line of code... Hardly an application re-write.How is this flamebait? I think parent hit the nail on the head.
The dangers of knowledge trigger emotional distress in human beings.
I wonder how many US government websites in Iraq and Washington are running these soft targets? This is the kind of thing that's forced all our Cybersecurity chiefs to resign in disgust.
--
make install -not war
Microsoft has had so many bugs and security flaws over the years that companies are completely immune to bad press for Microsoft. I wonder how much more of this people will finally take until they switch to MacOSX / Linux. I would highly suggest the MacOSX route ....
Proactive?! This vulnerability came to light a week ago - neither Microsoft nor their precious MVPs said a word about it until they could come up with some workaround code - not even a patch. I can hear it now... "if you upgrade to IIS6, you won't have to worry"... ugh.
Whatever else it is, like maybe a silly joke, possibly insightful, it is not offtopic.
Put identity in the browser.
No more [registration required] articles on ASP.net servers!
Bill Gates presses his Slashdot moderator script button. All anti-ms posts will be modbombed!!!
:-)
Can't you take a joke, moderators??? This dogbert scenario is pretty damn funny! I spat coffee out my nose when I read it!
Sometimes I have to wonder how it is that Microsoft, with all of their talent and wealth, can have so many problems that people of the calibre that their senior engineers are supposed to be could make. I remember talking to one of my professors about software processes and he was convinced that it's possible to have an "error-free" program, this side of the 2nd coming of God and our programming being outsourced to the angels to do for us. Is it a sign that we have matured as users, or that development has regressed that we now consider holes and bugs to be par for the course?
Click here or a puppy gets stomped!
What amazes me is that so many people still fail to recommend to their customers alternatives to IE and IIS. Are they just too lazy to learn about the alternatives, or do they really think these products are safe to use in mission critical environments?
I know it takes an investment of time to learn to implement viable alternatives, but if you're worth your salt in this business, shouldn't you at least know how to use products from more than one vendor?
it was a plot by the guys at Microsoft to gain backdoor access to porn sites. Think about it, develop a system for "secure logins" on the internet (whose business HAPPENS to be composed of 70% porn, 30% other) with a bug that lets you bypass the very login that was supposed to be secure? Riiiight. See business plan below.
Step 1: Develop language for use with "secure login"
Step 2: ???
Step 3: Masturbate!
1 ) I wonder how bad this actually is.. Is this merely "forms" security? Or also the Integrated Windows security? Seems also that if you don't use the built-in security models, this probably isn't a problem.
2) The "fix" according to the article is not bad at all.. Setting the check in global doesn't amount to 8.7 million hours of lost productivity.
ASP is dying, Netcraft confirms it!
Media that can be recorded and distributed can be recorded and distributed.
-kfg
just rewrite your code everyone - its not our fault its your fault. what crap - everyone should move their sites to OSS and use perl, python, php or anything else you want - it is about choice and the expertise you have on hand or that you want to acquire. whoever uses microsoft anything for production is just asking for it - and to the person who wrote about the mozilla flaw from yesterday - at least we don't have rewrite anything to fix that. I have never had to rewrite/change an app because of a patch from any linux vendor. how long will the corporate world put up with these shinanigans. Switch Now!
MOVE out of the desert. It's SAND...You know what you can grow in sand? NOTHING! You know what it's going to be in 1,000 years?...SAND!!! Move to where the food is...Oh Ohhhhhhhhhhhhhhh.
From the article : "c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file."
Now I could understand how c:\dir\test.dat and test.dat might be the same file - but, prey, assuming a hierarchical file system, how can all three be identical given that Windows file systems don't support hard-links? The test.dat is the same as the c:\dir\test.dat file if we are in c:\dir - but then the parent of the parent could not be c:\dir as well.
asp.net developers can get a free upgrade at www.php.net to correct a wide number of security concerns :P
Nah, it's just an "undocumented feature".
=======
Science -- Sealed, Delivered.
When installing Exchange 2003, a prerequisite is to install asp.net -- so I'm assuming that OWA for Exchange 2003 uses asp.net.
Can anyone confirm this vulnerability in OWA? If it is a problem, is there anything for an administrator to do? I am not a programmer/developer - the MS links didn't seem to have any helpful preventive info.
Microsoft says: /. says:
Microsoft ASP.NET developers can add more checks to help reduce canonicalization issues for a Web application by adding an Application_BeginRequest event handler in their Global.asax file that is stored in the root directory of the Web application.
Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits
Talk about FUD.
that you cue up the Big-Top Circus music...the one where all the clowns run around in a panic! But instead of clowns they're MS techs.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
1) Insert into global.asax:
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
2) ???
3) Profit!
I am the maverick of Slashdot
Which would have incurred more scorn from the general public:
/. posts laying that in thick.
1. Microsoft acknowledging the bug, saying that they are going to fix it, and also explaining a technique to work around the bug.
2. Microsoft acknowledging the bug, saying that they are going to fix it, and not providing an interim solution, other than wait for the fix.
Given these two choices, #1 is clearly the more socially responsible choice. To spin their actions as "blaming the victims" is an action worthy of a marketing drone.
Of course, Microsoft clearly fucked up by having this bug in there in the first place, but I'm sure that there will be the usual hundreds of
It's very unlikely. Pr0n sites are usually big users of OSS software; almost all run on Apache with Linux.
I'm beginning to believe that it's time CIOs were taken to task for repeatedly putting their businesses in danger by continuing to require Microsoft products on their servers.
/. readers will agree that the OS and most of the MS software is buggy and CERTAINLY less than secure, so shouldn't these corporate "EXPERTS" know it as well? If so then they are intentionally endangering their most precious corporate assets - information.
Most
Where I come from that is a direct affront to the charter of their positions and grounds for termination...
"Straddling the sword of technology..."
Unfortunately, the few lines required to implement the patch has already been copyrighted by Brian Connolly.
the fact that all the expensive licensing that the clients pay to MS because the product is 'supported'. If you have to rewrite your applications while waiting for a fix, you may as well use an open source solution because MS is neither giving you the quality product they promised nor the quality support they promised.
putting the 'B' in LGBTQ+
Free Pr0n for everyone!
Open Source may provide security *benefits* -- that does not make it immune to holes. The same thing could happen to an Open Source package with a broken API.
Have you ever seen Linux software using tmpnam(), for instance? That's an API bug right there.
Look, this is a darn large security hole. It'll result in some *huge* breakins for years to come. *However*, this is not a Microsoft- or closed-source- specific problem. It could happen just as easily to, say, the perl community.
May we never see th
...if this flaw was discovered in JSP, PHP or Perl, would we see the same degree of venom? ;-) ./ has some really smart readers. Too bad there's so much platform religion. It's all the same crap in different packages. ASP.Net, JSP, PHP and Perl all suck and shine, differently but equally.
That's pretty funny, but my favorite is still this one
Common sense is not so common.
Today an issue was discovered with Mozilla Firefox which, in the rare case a .config file was used to manage the security and permissions of a folder on a web server, a specially crafted URL could access the contents of the folder. Users are recommened to apply a small code patch to fix the issue.
about face
Today, yet another huge security hole was found in Microsoft software in which blows open all websites running ASP.NET. Microsoft's response? Re-write your code to fix the problem! Just another example of Microsoft's "blame the victim" mentality, when oh when will the madness end?!! We should all switch to Linux and Mozilla and Apache today because those apps never have bugs.
Tech, life, family, faith: Give me a visit
*falls on floor laughing*
BWA HAHAHAHAHAHAH!!!
hacking by query string! Every year gets better!!
*cleans teardrop* (sighs)
Here's a vulnerability or two right here. Too bad they are in the revered PHP platform. Just to show that no one is immune.
I understand your reaction, but you are misunderstanding the issue.
Your post seems to implicate the application developers.
The URL based security is a built-in functionality of the framework. The framework handles all of the checking for you, so you don't have to do that checking yourself. If the framework works as advertised, the developer SHOULD NOT be doing these checks. That is the benefit (and problem) with working with a higher abstraction.
Unless you are doing these checks with machine code, you too are depending on some other pre-built library or compiler to do it correctly.
If the library or compiler (or framework) does it incorrectly, don't blame the application developer.
It's not just asp.NET that's affected by bad programming. We use proper computers on our Intranet, not these silly Windows toys. Doesn't mean we're immune to the effects of sloppiness, though. The other day I found an application written by a subordinate of mine, where you could defeat an authentication check by setting a variable in a query string. You could say it's my fault really, for leaving register_globals on; but I find that 90% of the time it's a PITA having it off -- you might just as well be using something old-fashioned like perl if you're going to do that. When you have to read your variables "by hand" you can be sure what order you do 'em in. Sessions - who needs 'em? Just store a filename in a cookie and put the variables in the file, that's exactly how ASP and PHP do it! (Wonders: does having learned to do something the "hard way" first make you less likely to foul up when you come to do the same kind of thing a slightly easier way?) If you're going to be living in a house, you want housey stuff like electricity and plumbing, otherwise you may as well be living in a bender ..... if I'm going to be using PHP, I want PHP-like stuff otherwise it may as well be perl, but with far too many unnecessary round brackets {I grew up on British BASIC dialects which were similarly unfussy; SIN theta was as good as SIN (theta) but it saved you two whole precious bytes}.
I'll be having a word with him about it when he gets back. I distinctly remember telling him to be careful where certain variables came from. I haven't checked his code too closely yet, because I've had other things to deal with; but if I find $auth=$_SESSION["auth"] commented out, I just might have to kill him.
Je fume. Tu fumes. Nous fûmes!
The fix is pretty low impact wrt webapps. Its merely a matter of adding an event handler to the Global.asax file. The vast majority of webapps do not even touch that file because its mostly auto-generated.
Saying that they need to "rewrite their applications" is incredibly misleading.
It's very unlikely. Pr0n sites are usually big users of OSS software; almost all run on Apache with Linux.
Well then those dirty GNU/Linux hippies over at Apache need to get cracking.
Free software!!! Free beer!!! Free Nelson Mandela!!! Free porn!!!
Ok so it's not an application rewrite. Ok so it is ONLY a 5 line patch.
Does no one here work in an organized company that has rigid procedures such as TESTING?!?!
What about the downtime of those apps while you do the patching and testing and redeployment?
So what if you don't need 2 weeks to write every ASP.NET application in the company. You do need the resources to test each application. No matter how much you try to play down the crisis, this is going to cost the corporations M-O-N-E-Y.
And what happens when MS gets their act together and releases a patch? Are you simply going to run the patch and leave it at that? No need to test all your applications against that new version of ASP.NET? For those of you who write applications that select * from grommets and display tables on a webpage, this might not be a big deal. But those of us doing heavy duty enterprise development will see a higher impact.
IIRC, Java hasn't had any of these type of problems within their development platform.
One line blog. I hear that they're called Twitters now.
I think not :)
Well fellas, that's another reason to move away from the MS Goliath. He's been falling TOO often!
With M$'s track record for secutiry, I fail to see why everyone's panties are in a bunch. Unfortunately, we should be used to this kind of crap from them by now, not surprised or panicky.
Don't we have an SOP for microsoft security announcements by now?
--Qtone
The email looked so bogus that I figured it must be a phishing attack. But I checked out the urls, and sure enough...
Seems like there is a new microsoft security hole article on slashdot every day sometimes.
Interesting point. But atleast you don't pay a lot of money to someone else and do the job yourself.
First off, this is not a huge deal. Anybody with even a moderately complex ASP.net site has probably written custom authentication anyway. As is typical, the /. anti-MS crowd (into which I am normally grouped) have already blown this way out of proportion.
What would be interesting would be if mono and their re-implementation of ASP.Net got a boost out of this from the migration of some of the more run-of-the-mill ASP.Net websites. I see very few mono ASP.Net sites, and even less buzz about it.
means there's at least 2.9 million dumbasses in key IT decision-making roles.
>> About 2.9 million web sites run on ASP.NET
In windows explorer or a command prompt try the following path.
.Net only issue.
C:/windows
or in a command prompt "cd C:/windows"
Windows will be happy to correct it to C:\windows and execute your request.
I don't think its a
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
Having read the bug description, cause of the bug, and solution to the bug, I have the definiteve response. On one side, you have the idiots saying 'OHMYGODYOUHAVETOREWRITEAEVERYTHING!'. ON the other side, you have the idiots saying 'This is nothing'.
1) The problem isn't incredibly awful in and of itself. Fixes would take roughly two minutes and could actually be automated. Simple as that
2) The problem is indicitive of Microsoft's biggest problem. Security. This is not an unknown issue. I check my code for similar issues. It is the most fundamental thing abou security: Check the damn inputs. They should have white papers (they do actually) on this. They have trained every employee on this (they took a few weeks off just to schedule clases on this and other security issues). It is a very basic problem. Yet it recurs too often.
Granted -- it is easier to say than do. The people who say a bug like this should NEVER happen have never coded in a real work environment. Things do slip through the cracks. But it happens to Microsoft too often (admittedly less than five years ago, but still too often).
Bottom line. It ain't the end of the world. But it is indicative of a deep cultural problem that Microsoft has to overcome before someone overcomes Microsoft.
Sincerely,
AC
IIS6 is not vulnerable to this. IIS5 is vulnerable but there are security tools that should be running on IIS5 servers (URLScan and IISLockdown) that will block this attack.
.NET's built-in security checks since those are apparently based on the string path and there is always another way to fake a string (server phishing?). I posted a little piece of code here that shows how I check authentication/authorization at the page/function/control level.
Unfortunately, it appears that many (most? all?) shared hosting providers are not running IISLockdown nor URLScan because all of the hosted sites of mine that I tested were vulnerable (except for the ones hosted on Win2k3). So, for those of us doing the shared hosted thing, we needed a fix.
Defense in depth is always a good practice but ASP.NET's directory security was just so dang easy that many of us used it and didn't do security checks on the individual pages and functions like we should have. I admit I am/was guilty of that about 50% of the time (estimated Frida based on the work I did to correct every ASP.NET site I've ever done). I have code in each page now that checks authentication instead of relying on
Microsoft's suggested workaround is easier because you put the 3 lines of code in 1 place, but after this security scare, I don't think I will ever rely on ASP.NET directory security (nor should I have ever relied on it).
The truth doesn't care what I think.
.. Ars Technica just migrated to .NET...
(ok, maybe coinky-dink is the wrong compound-word.. Irony's not quite right either.. How about BWAHAHAHAH!?)
you need to add a few lines of code to a global function that is run with every request...
Big fucking deal
you open source zealots should go back to your dark cubicals in the basement.
if you are not an ASP.NET developer, please do not comment on this story. it does not concern you.
I really enjoy how you Open Source Lap Dogs jump on this stuff. Microsoft is NOT saying re-write your applications. Your slash dot editors added that line.
Their recommended patch is to add 4 lines of code to a configuration file. To me that does not constitute a re-write.
Would a simple change like this require a re-write of your open source apps?
I would love to see you all jump on a bug in Apache like you do with Microsoft technogies.
FWIW... it took all of 5 min to patch my clients sites to add this check... That was the fastest re-write I have ever particpated in.
Exactly! There are four lines of code to add to one file per application. Those four lines are also a work-around until Microsoft releases a patch. When I read the blurb for this I got the impression the sky was falling. After getting the facts I get the impression chicken little is running around here.
/. wants to be a tabloid, but the fact that it is so one-sided against MS makes /. more of a shill.
This sensationalism is fine if
It could happen just as easily to, say, the perl community.
Granted, you are correct, but I might add that while such things might happen to Open Source communities, since we aren't paying for such things, we are less offended when they break. When Microsoft fouls up, we all get mad because we've maybe paid too much money for the product/license to begin with so we believe it should function better than a free solution. Sadly the opposite is often more true!
More often than not, Open Source solutions operate better than Microsoft products for any given circumstance.
The dangers of knowledge trigger emotional distress in human beings.
for mozilla users. The artcle says the bug works differently for Mozilla than for IE browser.
OK, seperate but equal will have to do. Anybody got a list of asp.net servers they want to open up?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Even if it only takes me ten minutes. Minimum charge is one hour. I rip on MSFT but I should be more greatful because if their crapass software actually worked like it was supposed to I wouldn't make near as much money supporting it! HAHAHAHAHA!
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
The linked MS article has a reference to a very well written security guideline, just as many home router/gateway manufacturers have documentation in their user manuals about WEP/WAP. If a businessman/woman or grandma/pa is expected to RTFM about their home network, I suggest programmers and web designers have at least an equal responsibility to follow manufacturer's security-related advice.
I'm not totally clueless. I realize this is /. and the article is the obligatory, daily, "let's bash MS" post.
No man's an island, unless he's had too much to drink and wets the bed.
Actually, those 4 lines do not fix the problem, they help.
Look here for a good explanation.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I always think...
One less, of course
OK, I am an independant programmer that writes most of my code in ASP.NET. I'll give a taste of what this does to people like me.
Remember, there are actually TWO vunerabilities that affect programmers in Microsoft right now - the GDI+ JPEG overflow and the new canonicalization overflow. Microsoft has fixed neither effectively, so the coders have to fix both.
I manage eleven ASP.NET sites and five C# Windows Forms applications. Between those sixteen apps, I need to:
- load them up in Visual Studio
- Go back to the last stable build in SourceSafe
- fix the reference to GDI+
- add the mappath check to the Global.asax file
- munge the global error handler so I don't get 12,434 error emails when the hacks start coming
- compile
- regression test the app
- redeploy
Now, admittedly, that only took about 20 hours for all 16 apps, but for CRYING OUT LOUD can't they just test this stuff BEFORE they send it out? I have the highest respect for the ASP.NET team, I have worked with many of them on the many books I have written on the topic. Nonetheless, I now have to spend 12 precious, non-billable hours on a problem that is covered at length in 'the bible' - Howard and LeBlanc's Writing Secure Code 2.
Why do I write in ASP.NET? It is FAST - much much much faster than Java or perl or CF any other middleware out there. It is perfect for what I do. But how many of these are there? How many security flaws that the black hats know about that we don't?
It's a little frustrating.
S
/usr/bin/grep -i -E meaning life.txt
Just an FYI, the above is topical. This exploit falls under the domain of IIS. Please don't mod comments as offtopic if you don't understand the topic well enough to tell the difference.
Also, you would have noticed that the IE URL flaw is also mentioned if you had READ THE FUCKING ARTICLE.
Idiot or MS fanboy--you decide.
Microsoft has pretty much never won a battle against open source on this front. It has never exceeded 35 percent in market share and it seems stalled at about 20 percent with no signs of movement. It got where it is today by putting the smackdown on other proprietary systems (Netscape/iPlanet/Sun), with little or no switching from Linux and BSD.
It seems that any movement above the natural stable point in the low 20s is temporary. Every time IIS makes a big move in market share it only lasts a few months...then a "Code Red" sort of crisis scares people away and they never come back--even if there is a patch offered it seems that deploying the patch is too much trouble for hosting companies ans do they resort to bringing the old Suns back online or switching to Linux or BSD--becasue they never experience disruptions on the scale of those inflicting IIS.
Interestingly, this puts a hole in the MS-friendly argument that "people hate them because they are popular" making it the lead target of crackers. In terms of RATE of attack (percentage of total servers attacked--NOT absolute numbers), market leader Apache is NEVER attacked as much as distant also-ran IIS. If it was ONLY about crackers boasting of their skillz in bringing down big, popular sites, then Apache would be attacked far more often. Sad truth is...IIS is just that much easier to crack.
Yep! It's Thursday!
It just never ends, does it?
In so many ways, Microsoft is just like the Energizer bunny: They keep patching and patching and patching and patching...
(posted anonymously, so my karma doesn't suffer EVEN MORE)
d =10461007) which says EXACTLY THE SAME THING...
Does someone have something against me, or something?
Holy @#$*(. TWICE in TWO DAYS a perfectly legitimate comment is modded down..
Consider this:
my comment.. flamebait
this comment (http://it.slashdot.org/comments.pl?sid=124766&ci
+5 interesting
WTF??!
Screw talking about fixing it.
I want to know all the pr0n sites still vunerable!
-------
Bite Me Fanboy!!
Firefox is a browser. If a web server is allowing access to a file on the server that it shouldn't, then that's isn't a bug in Firefox - it's a bug in the web server. Any server that is dependant on the client playing nice in order to get proper security (like most online games) is broken by design.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Doesn't MBSA install an IIS filter that rewrites/rejects bad URLs (exactly the kind that causes this exploit) after validating them, before the HTTP request hits anything else, like ASP or ASP.NET??
This exploit already has a fix/work-around that doesn't require a code change. Nothing to see here, move along.
Choose any two.
It still sucks for the economy to be out 8.7 million hours.
:-)
It sounds like, as far as I can guess, that the order of operations chose by MS was:
1) run "security validation" (?) on URL
2) convert URL into canonical form
rather than
1) convert URL into canonical form
2) run "security validation" on URL (to see if you have rights to the resource referenced)
I don't know how they could accurately identify what resource the incoming URL referenced, and not catch your lack-of-privelidge to access it.
I think it is part of our job to continually remind our bosses what presumtive ("we're number one, so we don't have to care!") twits MS can be, and question just how wise it is to trust your livelihood to these folks.
But that's just my opinion.
Yow! I'm supposed to have a plan?
You just knew something called ASP would have to come back and bite them in the butt some day. Didn't you? :)
I have news for you: 1 password-protected ASP application out of 3 can be accessed using the username ' or ''='' or ''=' and the empty password (the first and last single quote are part of the username).
Reason: SQL injection.
Supposedly these apps verify the password via a construct equivalent to the following (pseudo-syntax, I don't know enough VB to write real code):
answer = query_execute("SELECT account_id FROM users WHERE username=' "+username+" ' AND password=' "+password+" '");
Yes, they use string concatenation to build the query, rather than using wildcards (bind variables)! Not sure ASP even supports wildcards...
What happens with the magic username above, is that a query such as the following is executed against the database:
SELECT account_id FROM users WHERE username='' or ''='' or ''='' AND password=''
(the part of the query coming from the user-entered data is bold, the rest is what came from the program). This is a query that matches for all rows, so you'll usually get connected using the credentials from the first account in the table (often administrator, he!). Try it out! Go to google, seach for login asp username password and pick one of the sites from "the middle of the stack" (i.e. not from the first few pages returned, because those are mostly either ASP tutorials, or the rare "secure" ASP sites). Saying username and password in another language (Benutzername/Passwort) helps too as you'll get a "fresher" less overfished list ;-)
If the simplistic approach doesn't work, try entering a lone single quote as the username and/or password. You'll often get an error message that shows you part of the query used, and from there you can find how to word your username so that you still get access. For instance, some sites do not use the password in the WHERE clause, but instead return it. In that case, use something such as the following as your username, and zozo as the password:
' union select 0,'zozo' from users where ''='
The query obviously neads some tweaking, as the number of columns, position of password in select clause, and names of table obviously varies among sites. But fortunately, error messages are often verbose enough that with a little bit of trial and error you can figure out a "magic" username that opens the door to the kingdom.
If you are a site administrator whose app is vulnerable: rewriting your app is indeed a solution... preferably in PHP!
Say no to software patents.
Is there any web app framework which has never had a security hole? I'd love to use it, if there is. Any pointers?
Rik
www.domain.com/securebit/securefile.aspx
which redirects to:
www.domain.com/login/login.aspx
I've tried replacing / with \ or %5C in the bit before "securefile" but it just doesn't work for me. I'm using forms authentication with role based permissions. Webconfig that handles this is (simplified):That's not exactly right but it gives a good idea. I also have parent paths disabled, which I've been reading may or may not have an effect on this exploit. Have made the changes recommended already but I would really like to see if I can repeat the flaw on a testing server (Even if just to cover my ass with the customers!).
People that believe in their opinions don't post AC.
I'm all for keeping Microsoft's critics honest. And I welcome debate and dissenting opinion. But let's not act all shocked and surprised at the general negative attitude towards Microsoft found in this forum; it's always been there. And, frankly, it's a welcomed change from the usual positive Microsoft bias common to so much of the press-release-as-a-news-story industry media.
Do people still come to /. one of the major Linux and OSS hubs on the Internet and expect pro-MS reporting? Can you explain that to me? Do you think Linux users got to Paul Thurrott's SuperSite for Windows expecting pro-Linux reporting? No they don't.
/.). Now you tell me which is worse and does more damage via FUD?
Maybe when we can go a finally go a few months without a horrific finanically devasting virus or security flaw in Windows being reported, then we will give MS a second chance. Until then you'll excuse us if we don't give Microsoft the benefit of the doubt. Especially when you consider their past and current efforts to wipe Linux and OSS from the face of the planet and how they put out major Press Releases where they LIE about Linux on a weekly basis.
See here you are getting pissed off that an anonymous poster used the word "re-write" which btw is techincally correctly. Compare that to the garbage MS puts out constantly about Linux which reaches CEO's, the media, and sites likely to be read by management(as opposed to
Sincerely
typical anti-MS slashdotter truth-teller
If you wanna get rich, you know that payback is a bitch
For the next four hours we will be featuring FREE P0RN at all adult ASP.NET sites. This value added bonus is brought to you by MSFT: Where do you want to jerk off today?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I tested the 5 sites I've used this feature on over the last couple of years. Out of those 5 sites, only one proved to be vulnerable. I didn't take the time to find any pattern. None was obvious.
The test took about 10 minutes. Then I applied the work-around from MS, and uploaded that to the server. That took about a minute. Then I tested the site in question, ensured that the hole was closed and the site still functioned correctly. The site isn't too complicated, so that took less than 5 minutes.
So the total impact to me so far was less than the time spent reading the replies to this post on slashdot!
That said, I agree that an open source solution where a patch could be released right away would have been much better.
I'll be able to get into porn sites by the, er, back door?
Oops, my memory failed me. Run the IIS Lockdown tool and it will install (at your request) URLScan, which protects you automatically. A wee bit of tweaking is necessary if you want to allow folks to download .exe files from your IIS box, but that's easily fixed.
But is it really fast, when you have to deal with problems like these?
It's like saying I own a really fast car, but it's in the shop a lot. Is that still the best car for you?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Funny you say that. I was recently working at a bank that was using PHP for all front end and middleware stuff. The 'bank' code itself (which calculated interest and all that jazz) was Oracle and thousands of stored procedures and triggers, but everything else was in PHP. A large contingent of PHP people left at the same time, however, so I'm not sure they'll stick with PHP long term, but that's a business/resource issue, not a technology issue. PHP can talk SOAP to external systems as well as .net or java, which is mostly what was required for that type of system.
creation science book
Meanwhile, those of us who know how to read have already patched our systems, because the "rewriting" involves adding six lines of code to one file per webroot. For those of you who can't read, that's "6" lines, and the article has all six lines already written for you.
Looks like someone has an agenda. Could it be that Slashdot's parent company, VA Systems, has a conflict of interests between reporting news and blindly spreading anti-Microsoft FUD?
And, frankly, it's a welcomed change from the usual positive Microsoft bias common to so much of the press-release-as-a-news-story industry media.
So instead of the glossy MS corporate spin you welcome fanatical, bash-MS-no-matter-what spin?
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
>> rewrite their applications
: "Well folks, you can fix this usse by adding a routine to your global file, so you only make it once, and by the way, here's the code to do it"
MS
Slashdot: My God, we have to re-write our applicaitons, MS Sucks!!!
An actual attempt at fairness would actually be appreciated sometimes
Microsoft: "And those 2.9 million web sites running on ASP.NET are just as secure as those run on Apache!"
But according to Microsoft and other marketing research companies - Microsoft is cheaper to own...
Wondered if they factored security, legal and cleanup costs...
And if I had the source, I could be patching it now.
Microsoft actively encourages use of backslashes in URL's in their Web publishing software. This is done so that it is more difficult to move a web site to a non-Windows server, and also to break older non-IE browsers by making them fail to correctly parse relative URL names.
If they had written this correctly, IIS would, at a very low level, have checked any URL and translated it to a legal Windows filename. This would mean turning any backslash into some other escape sequence before using it to identify the file in the file system (forward slashes could be left alone). This would have been trivial and in fact most original 3rd-party software for serving web pages from Windows did this. This would have immediately stopped the exploit of putting '\' or %5c into the URL.
IIS certainly checks and cooks the URL in many other ways before producing the filename, so lazyness is not an excuse. It is pretty obvious that they wanted to intentionally allow URL's on the web that were non standard and would not work correctly on Unix servers.
As an ASP.net developer this concerns me, however I've been trying to bypass both Windows and Forms Authentication security (supposedly both succeptable) using the methods described in both Firefox and IE and all it does is just forward me to the login page. I'm also running a fully patched Win2k3 IIS6 box so maybe this is an issue for those behind on their updates? Either that or it's just much ado about nothing.
I'm relatvively sure that canonicalization happens before application_beginrequest. A simple debug will show you that your requested URL has already changed to an appropriate forward slash.
Actually this case is very good argument pro Open Source software. Too bad the /. post is flawed. It is perfectly OK that they state - we don't have a patch right now: you can:
i d=kb; en-us;319810
1] Lay down the service and wait for patch.
2] Do a workaround the problem with scripts.
The case is not about the workaround as it is obvious that it is better than lay entire service. The case is about that there is no other option. You just have to wait for the patch (we'll se MSFT timing on that).
With Open Source you can:
1] Lay down the service and wait for distributor to issue patch/update.
2] Take the patch from somwhere else and apply it (on source code) yourself.
3] Make a workaround.
4] Pound through source code and fix it yourself (probably with help of entire community) - which often can be easier than issuing workarounds (depends on scale of your systems).
See? You have more options. Not just sit and wait you can actually do something. This flaw is much critical - it will be fixed soon. But I know MSFT not fixing flaw that caused system crashes like every 15 min. for 2,5 year just because it was flaw in something that was not widely used (but was important to me f.e.).
Take look at this KB:
http://support.microsoft.com/default.aspx?sc
It says it was fixed in June 1, 2002 - than consider that this hardware (and Windows version) was aviable and used in late 1999 which gives 2,5 year of not fixing unstable system. Congratulations.
As far as I can tell this only affects sites that are "protected" by Windows logon security. You really shouldn't be using that on public sites (or any sites IMHO). Mis-typed URL's will not get through properly written login validation code that gets checked at the top of every page in a site.
It doesn't matter if your framework / server is the MOST VULNERABLE SOFTWARE EVER WRITTEN ON EARTH.
As long as you have money, you can make companies buy your product!
There are not much details so far, but it refers to the "canonicalization" functionality and suggest to implement then hardening measures outlined in KB887459 (support.microsoft.com/?kbid=887459).
It appears that a particularly crafted request may confuse ASP.Net and allow access to otherwise protected directories.
If a web server receives a request for a particular URL (e.g._http://server/somedirectory/filename), the 'somedirectory/filename' part has to be mapped to a particular file located on the server. This translation has been the source of many "directory traversal" bugs. The IIS unicode exploit is probably the most famous one.
After our original posting of this diary, a few users pointed to the following articles which provide more details then provided by Microsoft's advisory:
(Thanks to Chaouki & Daniel)
www.heise.de/security/news/meldung/51730 (german)/ 2004-09/0068.html x (italian)
http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq
blogs.devleap.com/rob/archive/2004/10/02/1803.asp
www.k-otik.com/news/10052004.ASPNETFlaw.php (french)
It appears that by switching a '/' character in the URL with '\' or '%5C', the canonicalization routine will be confused. So if the URL: http://www.example.com/secure/file.apx is password protected, using the either of the following URLs will bypass the restriction: http://www.example.com/secure\file.apx http://www.example.com/secure%5Cfile.apx
In addition to the slash/back-slash confusion, one reader reports that inserting a space will bypass the URL restriction as well: http://www.example.com/%20/secure/file.apx (had no chance to validate this method so far)
URL Obfuscation
Handler and star SANS instructor Ed Skoudis compiled a comprehensive list of various URL obfuscation methods used in phishing schemes and spam. Some of these methods do not work with all browsers (e.g. the %01 issue in older Internet Explorer versions). In order to preserve the tricky details of some of these methods, we setup a page which includes just the URL methods without our usual header and footer:isc.sans.org/presentations/urlobfuscation.p hp (to view as source: isc.sans.org/presentations/urlobfuscation.txt ).
Jan Reilink wrote to point us to this page with more details about URL obfuscation and decoding:www.pc-help.org/obscure.htm .
No. I appreciate the bias that is willing to point out not everything lines up with that glossy corporate spin. And, as I pointed out, I also welcome the criticism of that criticism that keeps the negative MS bias honest.
I have to wonder - did you even READ what I wrote? Or were you too eager to paint me as a fanatical zealot because my implied identification with Microsoft's critics?
More like, "I have a really fast car, but it slams into a wall once a week or so, killing everyone aboard."
I don't think that's the kind of "FAST" he was writing about.
And your analogy is teh lame. All race cars are in the shop a lot. If I am at the races, yes, it is the best car for me.
Hey. You forgot something. Scalability is about "nothing shared". You can rewrite PHP's session functions to use files on a remote server. Wanna scale MySQL? Just change the MySQL server's address. Yeah it involves rewriting some stuff, but it CAN be done.
Now, talk about bandwidth usage? Use a compiling/caching template engine. <--- this is usually the most troublesome thing in web servers.
Oh, and remember PHP 5 is ALREADY out if you're concerned about performance issues.
I've posted this elsewhere, but I think this is a great example.
I strongly suspect that you only *think* you've fixed the problem, not really fixed the problem.
But, don't trust me, go read the MS KB article. It's pretty clear to me that the "work-around" is likely to only be a partial fix. They reference "help," not fix numerous times.
When such a huge bug exists in the underlying system, a simple work around isn't likely to plug much more than the obvious holes.
IMHO, provided I'm right, this is worse than no solution at all. The admin's think "All is well - I patched that." and tune out all the warnings. But the reality is that you patched 5% of the problem, and now have a complete false sense of security.
I hope I'm wrong, but I suspect not.
Cheers,
Greg
Yeah, maybe it's your logic, tool.
I never painted you as a fanatical zealot. I'm simply saying that a bit of the "general negative attitude" (as you said) in this forum is over-inflated idiocy (particularly by the editors). Sure, there is plenty of reason to not like MS, but having editors and posters misrepresent things like the impact of security issues isn't the way to properly discuss things. Couple that with the odd twist of this forum embracing games that are typically Win32 only (The Sims series, etc) just shows that Slashdot can't be seen as a level-headed discussion forum.
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
It is when I'm racing.
(point: the right tool for the job)
...2 weeks of QA testing and deployment in production.
Maybe its not a big deal to some of you kids who think you can code a patch and have it in production that day because MS said so.
To the rest of us, you have to test the thing thoughly because the business's revenue comes through that site.
You may be right, or they may just be hedging since the fix was probably released in haste and probably wasn't fully tested.
I do know that before applying the fix I was able to bypass the authentication with the %5c trick, and now I cannot. I will keep my eye on the issue!
BTW, I realized an obvious pattern to which sites were not vulnerable. I'm hosting them all on my own box with IISLockdown installed. The vulnerable site is hosted elsewhere and I don't know if they've installed IISLockdown or not.
How curious. This is exactly how i stealth my forbidden directories in my PHP apps, by using the .htaccess file.
.* [R=404]
RewriteEngine on
RewriteRule
The hacker will never know when he's found a forbidden dir.
I could as well use a prepend.php and put a 404 redirect in there.
Still, the difference is that with this I *enhance* the security in my site. Very different thing is letting people access pw-protected directories with a simple url rewrite.
everyone start your Offical CTO Stop watches.
I can't view this story from work. Every other story loads fine.. at the moment I'm SSHd into an alternate server to post this comment. Anyone else having trouble?
There different domains. One is speed of development and maintenance, one is speed of execution. I believe he was referring to speed of execution...
Hell, there are no rules here. We're trying to accomplish something. - Thomas Edison
there's no such thing!
My Linux Command of the Day site : LCOD
People aren't shocked and suprised at the general attitude of the forum participants. They are offended at the bias and deception in the writeup posted on the frontpage. Yes, it was submitted by an "anonymous reader", but the editor posting it (michael in this case) should take some responsibility for confirming that the story he posts is not completely false or misleading. Biased comments in the discussion are expected. That's why it's a discussion. But the "news" should be made to be at least a bit accurate.
Maybe I'm a bit more concerned about these issues right now than I usually am because last night I watched the excellent documentary outfoxed about the propaganda that the Fox News channel passes off as news.
I'd rather be lucky than good.
Does this affect people who use Mono instead of microsoft as the back end?
It seems that making the backend run mono instead of microsoft is a viable solution for small scale ASP users.
s/apathetic software distributor.*\./apathetic Free Software Community./
You can't pull this trick if you don't have the source code and the right to modify it for your own use.
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
../../../../home and /home are (on my setup the same directory. The root .. just points back to the the / dir. So you can do as many ../ as you want. Try it.
Not sure if the same is true on dos but it should be else you could go some place weird just by doing a cd .. to many.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0409&L=ntbugtraq&F=P&S=&P=98 84
I use both PHP and ASP.NET pretty much equally. ASP.NET is faster and more powerful than PHP. And for the record, this hole isn't that big of a deal. Why?
1) Does not work on a properly configured IIS6 server.
2) Securing a directory with nothing more than a web.config file is just plain stupid to begin with. Securing a page with a web.config file should only be done either with another layer of security, or on directories that you just want to keep hidden from the average user.
3) Ctrl+C, Ctrl+V, Click, Fixed
And anyone who thinks PHP is a pillar of security obvious hasen't used PHP all that much.
Because it blows? PHP really, really blows. OK finally, after years it's "object oriented" even though the function library is still a haphazardly-named mess of handles and global variables.
I agree that PHP is only now learning the lessons that others learned a long time ago. But Perl only had one vulnerability.
And that vulnerability only applied if you were running Perl on Windows. Most people using Perl for web work run on something *nix based.
BTW secunia is an interesting resource. Thanks for the recommend.
That sounds like a fix to me. Why provide a "guideline" when a fix is available? While the the name implies modularity, the Microsoft code samples show otherwise. It looks like a rewrite of code, written to previous guidelines, is required so that your code will then point to that file because the previous "easy" method was so easy to defeat. Think about it for one instant and you will realize that an easy, global fix would be pushed out by Windoze Update and no fuss would be made.
The ominous portion of the warning is that "administrative" areas were also protected by the same scheme. That makes sitting ducks out of every one of the 2.9 million sites dumb enough to trust M$ with security.
Friends don't help friends install M$ junk.
I've been unable to replicate this behavior on any of my own projects/sites.. does anyone have detailed instructions?
Not All Who Wander Are Lost
"Doomsday talk" is about how this flaw lets people into your "administrative" site. Want to imagine how many .NET programmers are going to miss this little talk and have their servers used with ease by any old deviant?
P.S. - I am not a microsoft supporter
I'm Glad you let us know!
Friends don't help friends install M$ junk.
After coming off the hilarious Mozilla bug story from yesterday, Slashdot posting about this "Ominous ASP.Net Security Warning" just seems like sour grapes to me.
What is so "ominous" about it? Oh, that's right, we needed to yet again bash Microsoft for no reason because our employers are OSTG and make a living off OSS products.
Comment removed based on user account deletion
Is there a list of affected sites anywhere? and is there a link to a working exploit yet? I need to go check and make sure that my personal details are still safe at all these sites ya'know.
Or perhaps you used the automatic URL-busting scanner that you wrote in Perl months ago anticipating this problem?
My guess is that you did the former and are madly deluded in thinking that your sites are safe.
If you really think your sites are safe, publish their URLs here. Go ahead, I dare ya!-))
SDK Download
Have you ever been to a turkish prison?
Now all I need to do is insert backslashes into my filenames on my website. Since IE will try to convert those to forward slashes, they will 404! Excellent!
So the total impact to me so far was less than the time spent reading the replies to this post on slashdot!
Yeah, for you. What about the poor SOB's that got hacked in the first place? Most of these things are not discovered at Microsoft during testing. They are discovered in the field, by customers and then you are told about them.
he means its fast to write it - not fast when its working ;)
;)
ie - drag and drop this here - and drag and drop this over here - and visually drop this object there - lick and fold and we're done.
Without any real knowledge of whats going on
How would you know?
"I read porn sites only for their HTTP headers. Honest!"
Yeah, right...
The only viable choice to ASP.NET is Java (a mix of JSP, Servelets, Beans, Enterprise Beans, JSF and perhaps Struts).
Never mix apples and oranges... except if you are making a cocktail.
Cheers,
Adolfo
1. The suggested fix is small and simple. A couple of lines in the Global.asax file is harldy a rewrite. You probably wont need more than a couple of minutes to do it.
;-).
2. Open source alternatives are not flawless or bug proof.
3. ASP.NET has an excellent track record and it is on a league of its own. Well, except for perhaps Java.
Bashing anything Microsoft won't make you automatically cool, although it helps
Cheers,
Adolfo
Jimmy: "When you came posting security alerts, did you see a sign over my desk that said Large Software Firms Webserver Bug Resolution Team?" Microsoft: "Jimmy, you know..." Jimmy: "Did you see a sign over my desk that said Large Software Firms Webserver Bug Resolution Team?" Microsoft: "No. I didn't". Jimmy: "You know why you didn't see that sign?" Microsoft: "Why?" Jimmy: "Cause it ain't there. Because fixing Large Software Firms Webserver Bugs ain't my fscking business"
Just deny the backslash character and escaping percent sign in urls using URLSCAN. It is the key requirement for the exploit. If these characters cannot get past URLSCAN then the exploit cannot be successful. A properly secured server would already have had this in place before this.
See the following snippet from urlscan.ini
contact info: platformlabs.com
I support a web application, and it uses Role-Based authentication, database and cookies to store/process the roles (you have probably seen articles with such a thing)
Am I safe, or is this system affected (rather not have to do some unpaid work to fix Microsoft's fault if not really necessary).
I can understand full well why Apple zealots are hated (I use a Mac myself btw,) because I am starting to get so pissed off with Microsoft fans getting on the fucking defensive and ranting and raving at slashdot, once again, everytime a MS security bug crops up here or when MS does yet another crazy business action.
For crying out loud, if you are so blind that you can't see that
A) slashdot, in general favours Linux and opensource products, and
B) slashdot does actually post interesting article on MS every now and again when MS really does innovate, then...
fuck off back to Winsupersite where Paul "I sold my butthole to Bill" Thurrot will be glad to have you.
Or are you drawn to this site because its actually interesting?
Fair enough. I also agree that the negative outlook is taken too far at times. There are criticisms that I've disagreed with. I'm just wary that all criticism is being discarded.
An interesting aspect about Slashdot is that it really isn't a traditional news outlet. Slashdot does not provide news itself but points to a news source and then provides a forum to discuss that news. As such, that discussion is int regal to Slashdot and the opinion expressed in the initial entry is of limited importance.
Traditional media re-packages an opinion and provides no ability for feedback. Or the feedback mechanism is an after-thought or an apparent ploy to push banner ads.
Again, I'm not defending the more outrageous behavior. But at the same time, I'm not keen to lambaste the entire forum for that behavior.
Slashdot has come to reflect a large group with differing interests. Some people like Win32 games. Some people like Anime. Some people take very polarized views of US politics and policies (discussed on the new political section). There are critics and dissenting opinion on all these subjects. So you are not going to find complete consistency across the board. And you don't have to favor one topic to support another.
Having said that, I'm looking forward to when more and more of the game discussed aren't Win32-only games.
Stuff rewrite and future errors if code works on Mono and Mono does not have the fault rip out the windows servers install linux ones with Mono and tell developers all future development will be in php or something open soruce(so that system defects can be avioded and removed) in a memo and leak memo to microsoft in the hope of a licence saving.
Reasons the human typo and human blindness ie missing the fault remove fault no human factor.
A flaw? MS, you dissapoint me.
http://shit.slashdot.org/article.pl?sid=04/10/07/1 549224
Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents' basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.
Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR's and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents' basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.
Ahh, good thinking, IISLockdown probably would block this - the URLScan component probably translates the \ in the url back to a / before .Net sees it.
I couldn't replicate this problem on my local machine here tho, which doesn't have IISLockdown or URLscan installed. I created a basic website with a couple of pages + a login page, using forms auth, with the login redirect in web config pointing at the login page. Goint directly to http://server/vdir\samplepage.aspx (in moz) or http://server/vdir%5Csamplepage.aspx still redirects me to the login page.
How did you replicate this?
Cheers
Yeah but when you need to squeeze every ounce of performance out of a 2GHz processor you will be glad you chose ASP.NET
;)
And not to mention when you need to squeeze your application into a mere 2 gigs of RAM.
In the free world the media isn't government run; the government is media run.
Brian Goldfarb who is a program manager for ASP.NET today posted a link to a http handler that will block requests using malformed URLs for all web apps on the server. Link I think this is a bit overblown here. URLscan which is recommended in any MS security blocks this. The ASP.NET security guide shows how to avoid cannonicalization issues. On the other hand how did this get through testing? .NET has an excellent security track record with very. very few issues. I think that this is the first major one. Good for something as large as .NET. MS has come a long way over the last couple of years with security. Best of luck to them over there.
More info can also be found here.
I wish I could tell you how I replicated this! At first I was just thinking about the code. My first thought was authentication against a database vs against values in the web.config, but that was proven wrong. In the end, the only thing I could come up with was that my server is hardened with IISLockdown, which does pre-process URL's before they hit the webapp layer. That said, I've found some sites even on my local IIS under XP which isn't hardened with IISLockdown aren't vulnerable, so I don't know what the secrets of this trick are.
Just curious, but why can't you bill for these hours? The flaws were no fault of yours, and you don't have to bear the consequences of every flaw of every Microsoft product - otherwise you'd be providing support for free until the day you die.
come come commala
Starbucks, Harbuckle of Breath.
That's your argument? They both suck, but Ford sucks more? How does this address the responsibility that Microsoft should have for making its products perform correctly? Sheesh -- you Microsoft apologists are just too much.
The best diplomat I know is a fully activated phaser bank.
-- Scotty.
I really hope that this becomes a case-study for the open source movement. Could you imagine the guys at Apache saying "We've found a bug that lets a user access your system" WITHOUT releasing a patch? And the guys at Microsoft get _paid_ to fix these problems. Sheesh!
Any bug in mozilla firefox can't be serious because nobody is using it...
hmmm... dumb...
I've seen the "You Get What You Pay For" attitude work the wrong way for most managers who have no idea about the technology involved . Sadly this includes the hidden costs as well - Unix was high-tech because it needed an admin who pulled half that of the CEO , recently it's been "only Damn commie hippies use Leenux" (with apologies to RMS) . This is true to the survival of Technical Primadonnas as well as Microsoft's products. Foe example my project uses Redhat 9.0 - because that's what the IT guys paid for , what they don't know is that the servers run on a gentoo chroot on the same box (compiled with everything but) .
The difference with the Perl solution is very simple, they put out a new release or patch. A patch I can read, inspect and understand , maybe even adapt a little so that my product works. It's not like put these bits here and those bytes there and the binaries are patched.
The great thing about FOSS is that bad code never lives long . Of course that's the difference between a successful project and an unsuccessful one :).
Quidquid latine dictum sit, altum videtur
Linux comes from a tech-savvy community who enjoy making fun of and exploiting bad code/design by others (yeah, some are Elitist Bastards .. but that comes with the territory).
... each working on different directions to do the same thing (and I'm not talking about just package managers). (Much as I approve of the BSD attitude, it doesn't translate well into a commercial scenario, unlike GPL'd stuff).
Windows comes from a company that believes in making money and releasing on particular dates , not to mention interested in selling updates as well.
Which one do you think will be more secure ?. Do I decide because it's been hacked by the hackers (white hats rule !) or because it passed an agressive regression test cycle written by incompetent morons who are more interested in the money ?.
A few years back (waaay back in '99) when I first encountered GNU/Linux (my first guru is now a board member of FSF India) , the system was frayed round the edges and center . But 4 years down the line with Suse and IBM cracking down on the quality factor - the tide is turning. Both of them have a regression test suite and quality control for the PHB perspective - but Microsoft too has people poking holes in it (unfortunately those are not white hats).
All that said - if Linux wasn't GPL , we'd have 10 forks each calling IBMLinux, FreeLinux , OpenLinux, DragonflyLinux
Quidquid latine dictum sit, altum videtur
The code "rewrite" is 5 lines.
If you actually used the IIS Lockdown tool in IIS 5 you won't be affected either.
So once again this is slashdot blowing something way out of proportion. If you're running the latest server software (IIS6, W2K3) or did your due diligence with the lockdown tool, you're perfectly safe.
I haven't found a vulnerable site yet. Has anyone even tested this vulnerability to verify if it's legitimate? All of my sites and servers are not affected. BTW MS has an http module for download that will protect against all known URL vulns you can d/l it off their alert site.
The same way Debian manages global some configuration files. If you chose, an auto configuration section will be marked by text in the file "#start auto configuration", "#end auto configuration" and managed. Customization of the file can still be done manually after the auto section.
If all that was required is a 5 line change to a global file, I'm sure that even M$ could manage it. Windoze updater can modify any file on your system can't it?
The problem is that it's not a simple five line change, it's a code rewrite and it does not really fix the problem.
Feeling enlightened yet?
Friends don't help friends install M$ junk.
Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR's and RMS's feculent cocks and why dont you try to stop sucking quite so much? Get out of your parents' basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.
Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.
Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR's and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.
I always find it amusing how this sort of thing promotes massive discussion, when sensible application design (eg MVC a la Struts) can neatly skirt this issue in the first place. Granted, there are other security concerns with Struts, but when everything goes through a single point, it's a far more controlled situation - which is why it's used exclusively in our organisation.
And by the way - to all those complaining about the time spent testing these modifications, and saying they wished they had a patch for it : are you telling me that you don't test microsoft's patches? For people who have so little confidence in MS software, you seem to be very blase about blindly installing their fixes.
Sorry for the late reply to the thread (been away)...
This is total FUD. There's a simple fix they've released that can be added to the Machine.Config back on the 4th. Is this a crappy bug? YUP. Should have never happened in the first place. No recompilation needed and not for each app. Only once per server.
Actually I am rather impressed by a speedy workaround till a proper patch can be researched, tested, and implemented.
Yes this is MS and yes Bill's an evil git but this is the type of response all of us have been saying for years should be taken from sw vendors.
doesn't or shouldn't use the url security. Every .net site I have worked on does explicit check on each page that needs to limit access. Also there is a fix for the problem, it is call windows 2003.
As you pointed out, this seems to happen with every succeeding generation of Ford vehicles - like there's no "institutional memory" that remembers "We can't do it that way, 'cause here are the consequences".
And this is what it looks like happens at Microsoft - a lack of "institutional memory", as the same bugs are repeated in each new version of their products...