Slashdot Mirror
Microsoft Issues Ominous ASP.Net Security Warning
An anonymous reader writes "A security flaw in Microsoft's ASP.NET apparently allows access to password-protected areas just by altering a URL. There's no patch yet, but in the meantime Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits. About 2.9 million web sites run on ASP.NET according to Netcraft." Some more links: another Microsoft article, NTBugtraq, K-Otik and Heise.
While I think the flaw itself is a concern the 'rewrite their applications' quote is pure drivel. All thats required is a couple of lines in Global.asax. Thats hadly a rewrite.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
"If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. The technique may also work if a space is subsituted for the slash." Is it just me, or is this a bit too simple even for script kiddiz?
Right, because historically PHP has been an absolute bastion of security.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
It may have something to do with the fact that PHP changes too much between minor verions. Or at least it used to.
It's very unlikely. Pr0n sites are usually big users of OSS software; almost all run on Apache with Linux.
Comparing PHP 4.3.x series to ASP.NET (both 1 and 1.1) at secunia. It seems to me that the vulnerabilities are 10 to 3. If you were recommending a product, at least do some research before you do.
Here's a vulnerability or two right here. Too bad they are in the revered PHP platform. Just to show that no one is immune.
One line blog. I hear that they're called Twitters now.
OK, I am an independant programmer that writes most of my code in ASP.NET. I'll give a taste of what this does to people like me.
Remember, there are actually TWO vunerabilities that affect programmers in Microsoft right now - the GDI+ JPEG overflow and the new canonicalization overflow. Microsoft has fixed neither effectively, so the coders have to fix both.
I manage eleven ASP.NET sites and five C# Windows Forms applications. Between those sixteen apps, I need to:
- load them up in Visual Studio
- Go back to the last stable build in SourceSafe
- fix the reference to GDI+
- add the mappath check to the Global.asax file
- munge the global error handler so I don't get 12,434 error emails when the hacks start coming
- compile
- regression test the app
- redeploy
Now, admittedly, that only took about 20 hours for all 16 apps, but for CRYING OUT LOUD can't they just test this stuff BEFORE they send it out? I have the highest respect for the ASP.NET team, I have worked with many of them on the many books I have written on the topic. Nonetheless, I now have to spend 12 precious, non-billable hours on a problem that is covered at length in 'the bible' - Howard and LeBlanc's Writing Secure Code 2.
Why do I write in ASP.NET? It is FAST - much much much faster than Java or perl or CF any other middleware out there. It is perfect for what I do. But how many of these are there? How many security flaws that the black hats know about that we don't?
It's a little frustrating.
S
/usr/bin/grep -i -E meaning life.txt
Actually, it's very simple and can be handled a multitude of ways. Here's two examples:
/>t mp/:/var/tmp/"
Build PHP as a CGI, and print #!/path/to/php at the top of every php file. (Like you do with Perl)
Now wrap it with suExec and you're all set.
Observe the *slight* performance hit.
or include:
<Location
php_admin_value open_basedir "/home/username/public_html:/usr/local/lib/php/:/
</Location>
into each VirtualHost on your PHP server and it will not allow any file operations to take place outside of the listed directories.
On some sites you may need to add a few other dirs to the open_basedir for whatever you're trying to accomplish.
eg: I shell out to ImageMagick's "convert" a lot, so I add it's path to the open_basedir for that particular VirtualHost.
Common sense is not so common.
ASP != ASP.NET
They are *completely* different languages/technology. Perhaps you should spend more time actually learning than bashing stuff you have no clue about.
PS: How did this get modded up, when it was an obviosu flame? Oh right. It's Slashdot.
Yeah. It's not like any large websites use php. I was at a PHP conference about two weeks ago, where Rasmus Lerdorf (the lead developer, who happens to work at Yahoo now) was talking about their infrastructure. He didn't give an exact number, but said it was in the area of 10,000 servers (running FreeBSD), and handles literally billions of hits a day.
.NET or something.
.NET as a large enterprise system, same thing with Sun and Java. No one really pushes PHP, besides people that use it.
.NET, because Microsoft gives them lots of free software when they do. When all your developers - espessially the lead developers and CIO's making language and platform decisions - are trained on a certain platform, that's what they'll choose.
.NET). It can connect to any major DBMS. It runs on a ton of web servers, most importantly Apache. It's lightweight, has probably the lowest learning curve of any language (read: your designers can use it), easily extensible with C, and it's open source (so you never have vendor lock-in, and you're never stuck with a problem that can't be solved).
It's too bad it doesn't scale: once they get 10 billion hits a day they'll probably have to rewrite and switch to
but good luck convincing a large financial institution to use PHP on their giant web apps.
The only problem here is reputation. Microsoft pushes
There's no reason PHP can't be used to write "enterprise" applications from a technical standpoint. I think the problem comes from the fact that generally schools teach Java, because it was hip during dot com, and
I'd really like to hear the reason you don't think PHP is scalable, or why you don't think it's suited (a technial reason, not by reputation), but to be honest, I don't think you'll be able to give me one because by the way you talk, my guess is the only thing you know about PHP is what you've heard from other people and/or companies who sell a product that competes.
PHP runs on basically every platform (instant cost savings vs
I use PHP for lots of my stuff, and it saves me money and allows me to do things a lot faster than if I was using another language. I don't care if you agree or not, because it doesn't really affect me in the end. It's a competitive advantage for my company - I don't have the overhead of paying extra thousands of dollars per sever for licences, for one thing.
Speak before you think
If a car has a screw that becomes loose after 10,000 miles and could potentially let the engine drop out, regardless of how rare it might happen, every car will be recalled and the scre will be tightened and the car given back
You seem to have a rather short memory. 3 years ago, Ford execs knew that the tires they equipped all their Explorer SUVs was defective and could explode when too hot on a highway, effectively killing all its occupants. Lots and lots of emails proved it. Firestone execs knew was well. A lot of people died. Yet, it had to go public through a third-party (a private investigation by a journalist IIRC). Then, they recalled.
In that regard, we can safely say that Microsoft is more fair play than Ford is. And no,I don't think Ford is any exception.
Write boring code, not shiny code!
SDK Download
Have you ever been to a turkish prison?
Really?