Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Issues Ominous ASP.Net Security Warning

Posted by michael on from the you've-got-hack dept.

An anonymous reader writes "A security flaw in Microsoft's ASP.NET apparently allows access to password-protected areas just by altering a URL. There's no patch yet, but in the meantime Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits. About 2.9 million web sites run on ASP.NET according to Netcraft." Some more links: another Microsoft article, NTBugtraq, K-Otik and Heise.

5 of 554 comments (clear)

  1. Re:How Dogbert would handle this by Timesprout · · Score: 5, Informative

    While I think the flaw itself is a concern the 'rewrite their applications' quote is pure drivel. All thats required is a couple of lines in Global.asax. Thats hadly a rewrite.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  2. This is getting tiresome. by whyne · · Score: 5, Informative

    "If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. The technique may also work if a space is subsituted for the slash." Is it just me, or is this a bit too simple even for script kiddiz?

  3. Re:I still don't get... by Timesprout · · Score: 5, Informative

    Right, because historically PHP has been an absolute bastion of security.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  4. Re:How Dogbert would handle this by badriram · · Score: 5, Informative

    Comparing PHP 4.3.x series to ASP.NET (both 1 and 1.1) at secunia. It seems to me that the vulnerabilities are 10 to 3. If you were recommending a product, at least do some research before you do.

  5. 'Just a patch' is something of a misnomer by sempf · · Score: 5, Informative


    OK, I am an independant programmer that writes most of my code in ASP.NET. I'll give a taste of what this does to people like me.

    Remember, there are actually TWO vunerabilities that affect programmers in Microsoft right now - the GDI+ JPEG overflow and the new canonicalization overflow. Microsoft has fixed neither effectively, so the coders have to fix both.

    I manage eleven ASP.NET sites and five C# Windows Forms applications. Between those sixteen apps, I need to:

    - load them up in Visual Studio
    - Go back to the last stable build in SourceSafe
    - fix the reference to GDI+
    - add the mappath check to the Global.asax file
    - munge the global error handler so I don't get 12,434 error emails when the hacks start coming
    - compile
    - regression test the app
    - redeploy

    Now, admittedly, that only took about 20 hours for all 16 apps, but for CRYING OUT LOUD can't they just test this stuff BEFORE they send it out? I have the highest respect for the ASP.NET team, I have worked with many of them on the many books I have written on the topic. Nonetheless, I now have to spend 12 precious, non-billable hours on a problem that is covered at length in 'the bible' - Howard and LeBlanc's Writing Secure Code 2.

    Why do I write in ASP.NET? It is FAST - much much much faster than Java or perl or CF any other middleware out there. It is perfect for what I do. But how many of these are there? How many security flaws that the black hats know about that we don't?

    It's a little frustrating.

    S

    --
    /usr/bin/grep -i -E meaning life.txt