Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Security / October 2004

Tip: Looking for answers? Try searching our database.

Important Information on ASP.NET Vulnerability

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Ken Cox [Microsoft MVP] - 06 Oct 2004 13:47 GMT
"Microsoft has posted guidance that protects against a reported
vulnerability in all versions of ASP.NET that could allow a Web site visitor
to view secured content by using specially crafted requests to a Web server.
"

Here's a suggested fix:

Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
   If (Request.Path.IndexOf(chr(92)) >= 0 OR _
       System.IO.Path.GetFullPath(Request.PhysicalPath) <>
Request.PhysicalPath) then
       Throw New HttpException(404, "Not Found")
   End If
End Sub
</script>

Global.asax code sample ( C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
   if (Request.Path.IndexOf('\\') >= 0 ||
       System.IO.Path.GetFullPath(Request.PhysicalPath) !=
Request.PhysicalPath) {
       throw new HttpException(404, "not found");
   }
}
</script>

For more information visit here.

http://www.microsoft.com/security/incident/aspnet.mspx
Reply to this Message
Geeb - 09 Oct 2004 23:03 GMT
I've been installing this and testing the vpmodule.msi to prevent this issue
and have yet to see that it is adding the
'microsoft.web.validatepathmodule.dll' that it states should be in KB 887289.
The package is updating the machine.config, but not installing the dll. I've
been able to duplicate this on Win2k/IIS 5.0/.NET FW v1.1SP1 and
Win2003/IIS6/.NET FWv1.1 SP1. It states it installs successfully everytime
though.
Additionally, I've attempted to to manually update it per the KB and when
extracting the package, I get this Installer error:
Product: Microsoft ASP.NET ValidatePatch Module -- The installer has
encountered an unexpected error installing this package. This may indicate a
problem with this package. The error code is 2203. The arguments are
c:\temp\vpmodule.msi, -2147287008.

Has anyone else noticed this issue?
Reply to this Message
Scott Allen - 10 Oct 2004 03:19 GMT
I've done a couple machines, and other than causing a conflict with
CAS in Reporting Services I have not had any problems. The module
installs and I can see the assembly in the GAC.

--
Scott
http://www.OdeToCode.com/

>I've been installing this and testing the vpmodule.msi to prevent this issue
>and have yet to see that it is adding the
[quoted text clipped - 11 lines]
>
>Has anyone else noticed this issue?
Reply to this Message
Geeb - 10 Oct 2004 15:27 GMT
I've now installed it on a third platform (Win2k/IIS/.netFWv1.1SP1) and it
did put the module in the GAC, however, it didn't place the dll on the system
and the codebase location is blank on the module. If you do the manual steps,
you will have the dll on the system and the codebase location is set to the
dir of the dll.
So, I'm confused if the dll is actually intended to be on the system or not
to ensure the GAC module is working.

Also, I figured out the Installer issue and I can extract it OK now.

> I've done a couple machines, and other than causing a conflict with
> CAS in Reporting Services I have not had any problems. The module
[quoted text clipped - 3 lines]
> Scott
> http://www.OdeToCode.com/
Reply to this Message
Dan Kahler - 18 Oct 2004 17:12 GMT
The GAC isn't really intended to be viewed this way, but if it'll help you
sleep better, you can verify that the DLL actually is on your system by
going to command-line and navigating through the
"<systemroot>\Assembly\GAC\Microsoft.Web.ValidatePathModule" folder
structure.

Once you've done that, forget that this technique exists - nothing good can
come from circumventing the .NET Framework admin tools or Windows shell
hooks, so you definitely don't want to do this regularly.

Dan Kahler

> I've now installed it on a third platform (Win2k/IIS/.netFWv1.1SP1) and it
> did put the module in the GAC, however, it didn't place the dll on the system
[quoted text clipped - 13 lines]
> > Scott
> > http://www.OdeToCode.com/
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.