Slashdot Mirror
Microsoft Issues Ominous ASP.Net Security Warning
An anonymous reader writes "A security flaw in Microsoft's ASP.NET apparently allows access to password-protected areas just by altering a URL. There's no patch yet, but in the meantime Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits. About 2.9 million web sites run on ASP.NET according to Netcraft." Some more links: another Microsoft article, NTBugtraq, K-Otik and Heise.
While I think the flaw itself is a concern the 'rewrite their applications' quote is pure drivel. All thats required is a couple of lines in Global.asax. Thats hadly a rewrite.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
"If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. The technique may also work if a space is subsituted for the slash." Is it just me, or is this a bit too simple even for script kiddiz?
and use asp2php as found on Freshmeat.
RTFA - this is ASP.NET not ASP.
Right, because historically PHP has been an absolute bastion of security.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
> There is a patch coming, but it's not available yet.
However in light of some IE exploits "yet" tends to mean 3-6 months.
It may have something to do with the fact that PHP changes too much between minor verions. Or at least it used to.
1) Insert into global.asax:
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
2) ???
3) Profit!
I am the maverick of Slashdot
If you'd read the KB article you simply a few lines of code to a global file that resides at the root directory of the web application. While I'll admit the vulnerability is sadly elementary and has existed in previous Microsoft implmentations it's not like Microsoft has asked developers to completely recode every single file of a web application. It's like saying, hey Samba has this really basic flaw. But if you add an entry in your smb.conf file it's okay. It's not the end of the world. It's crazy to think that the security hole made it past their (supposedly rigorous) peer code review process but the workaround isn't too much to ask.
It's very unlikely. Pr0n sites are usually big users of OSS software; almost all run on Apache with Linux.
Comparing PHP 4.3.x series to ASP.NET (both 1 and 1.1) at secunia. It seems to me that the vulnerabilities are 10 to 3. If you were recommending a product, at least do some research before you do.
Here's a vulnerability or two right here. Too bad they are in the revered PHP platform. Just to show that no one is immune.
The fix is pretty low impact wrt webapps. Its merely a matter of adding an event handler to the Global.asax file. The vast majority of webapps do not even touch that file because its mostly auto-generated.
Saying that they need to "rewrite their applications" is incredibly misleading.
One line blog. I hear that they're called Twitters now.
No, he is correct, that works in mozilla.
For IE use %5C in place of the \ [as IE converts \ to / ]
This was much easier to fix than the GRUB/Fedora Core 2 multiboot bug...
For those who are interested, the fix is here:
http://support.microsoft.com/?kbid=887459
For those about to rock, we salute you.
second society
OK, I am an independant programmer that writes most of my code in ASP.NET. I'll give a taste of what this does to people like me.
Remember, there are actually TWO vunerabilities that affect programmers in Microsoft right now - the GDI+ JPEG overflow and the new canonicalization overflow. Microsoft has fixed neither effectively, so the coders have to fix both.
I manage eleven ASP.NET sites and five C# Windows Forms applications. Between those sixteen apps, I need to:
- load them up in Visual Studio
- Go back to the last stable build in SourceSafe
- fix the reference to GDI+
- add the mappath check to the Global.asax file
- munge the global error handler so I don't get 12,434 error emails when the hacks start coming
- compile
- regression test the app
- redeploy
Now, admittedly, that only took about 20 hours for all 16 apps, but for CRYING OUT LOUD can't they just test this stuff BEFORE they send it out? I have the highest respect for the ASP.NET team, I have worked with many of them on the many books I have written on the topic. Nonetheless, I now have to spend 12 precious, non-billable hours on a problem that is covered at length in 'the bible' - Howard and LeBlanc's Writing Secure Code 2.
Why do I write in ASP.NET? It is FAST - much much much faster than Java or perl or CF any other middleware out there. It is perfect for what I do. But how many of these are there? How many security flaws that the black hats know about that we don't?
It's a little frustrating.
S
/usr/bin/grep -i -E meaning life.txt
But this just checks the presence of the one known overlooked character, and performs one 'smell-test' check on the path. What about unicode variations? What about dot-dot variations? How often will this need to be tweaked before a patch comes out?
I agree, it's no re-write...it's a PITA production workaround.
Actually, it's very simple and can be handled a multitude of ways. Here's two examples:
/>t mp/:/var/tmp/"
Build PHP as a CGI, and print #!/path/to/php at the top of every php file. (Like you do with Perl)
Now wrap it with suExec and you're all set.
Observe the *slight* performance hit.
or include:
<Location
php_admin_value open_basedir "/home/username/public_html:/usr/local/lib/php/:/
</Location>
into each VirtualHost on your PHP server and it will not allow any file operations to take place outside of the listed directories.
On some sites you may need to add a few other dirs to the open_basedir for whatever you're trying to accomplish.
eg: I shell out to ImageMagick's "convert" a lot, so I add it's path to the open_basedir for that particular VirtualHost.
Common sense is not so common.
The "Rewrite of the application" is about 3 lines of code being inserted into a single event handler for each application. Let's not jump on the "Microsoft BAD, Open source GOOD" band wagon before we know our facts. It's not a "rewrite" of the application, just an update.
ASP != ASP.NET
They are *completely* different languages/technology. Perhaps you should spend more time actually learning than bashing stuff you have no clue about.
PS: How did this get modded up, when it was an obviosu flame? Oh right. It's Slashdot.
Yeah. It's not like any large websites use php. I was at a PHP conference about two weeks ago, where Rasmus Lerdorf (the lead developer, who happens to work at Yahoo now) was talking about their infrastructure. He didn't give an exact number, but said it was in the area of 10,000 servers (running FreeBSD), and handles literally billions of hits a day.
.NET or something.
.NET as a large enterprise system, same thing with Sun and Java. No one really pushes PHP, besides people that use it.
.NET, because Microsoft gives them lots of free software when they do. When all your developers - espessially the lead developers and CIO's making language and platform decisions - are trained on a certain platform, that's what they'll choose.
.NET). It can connect to any major DBMS. It runs on a ton of web servers, most importantly Apache. It's lightweight, has probably the lowest learning curve of any language (read: your designers can use it), easily extensible with C, and it's open source (so you never have vendor lock-in, and you're never stuck with a problem that can't be solved).
It's too bad it doesn't scale: once they get 10 billion hits a day they'll probably have to rewrite and switch to
but good luck convincing a large financial institution to use PHP on their giant web apps.
The only problem here is reputation. Microsoft pushes
There's no reason PHP can't be used to write "enterprise" applications from a technical standpoint. I think the problem comes from the fact that generally schools teach Java, because it was hip during dot com, and
I'd really like to hear the reason you don't think PHP is scalable, or why you don't think it's suited (a technial reason, not by reputation), but to be honest, I don't think you'll be able to give me one because by the way you talk, my guess is the only thing you know about PHP is what you've heard from other people and/or companies who sell a product that competes.
PHP runs on basically every platform (instant cost savings vs
I use PHP for lots of my stuff, and it saves me money and allows me to do things a lot faster than if I was using another language. I don't care if you agree or not, because it doesn't really affect me in the end. It's a competitive advantage for my company - I don't have the overhead of paying extra thousands of dollars per sever for licences, for one thing.
Speak before you think
I'm relatvively sure that canonicalization happens before application_beginrequest. A simple debug will show you that your requested URL has already changed to an appropriate forward slash.
Problems with PHP, as with almost all security issues in all software, can be fixed with a patch to the execution environment. The difference here is that the reccomended fix is to patch everybody else's code.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
If a car has a screw that becomes loose after 10,000 miles and could potentially let the engine drop out, regardless of how rare it might happen, every car will be recalled and the scre will be tightened and the car given back
You seem to have a rather short memory. 3 years ago, Ford execs knew that the tires they equipped all their Explorer SUVs was defective and could explode when too hot on a highway, effectively killing all its occupants. Lots and lots of emails proved it. Firestone execs knew was well. A lot of people died. Yet, it had to go public through a third-party (a private investigation by a journalist IIRC). Then, they recalled.
In that regard, we can safely say that Microsoft is more fair play than Ford is. And no,I don't think Ford is any exception.
Write boring code, not shiny code!
http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0409&L=ntbugtraq&F=P&S=&P=98 84
Microsoft repeatedly states in the documentation that it's better to use parameters on a command object for two reasons:
- security. exactly what you say above.
- performance. if the database has a cached copy of the parameterized query then it doesn't need to do the compilation. (however, sql server 2000 does have the ability to infer the parameterization of ad-hoc queries in order to avoid recompilation, but it's still more expensive than using a cached command).
the bottom line is: no developer worth his paycheck should be using ad-hoc queries, and those that get paid enough to eat should be using stored procedures anyway.SDK Download
Have you ever been to a turkish prison?
Really?
Hmm... Perhaps.... http://secunia.com/product/3919/