|
Home > Archive > IIS Server Security > October 2004 > Canonicalization issue in Microsoft IIS web server with ASP.NET
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Canonicalization issue in Microsoft IIS web server with ASP.NET
|
|
| Paul Cyr 2004-10-15, 9:25 pm |
| I can't believe this newsgroup is not discussing this vunerability. This is a
major flaw and we need a patch from Microsoft ASAP. This affects many
Microsoft products.
Event Analysis: By sending a specially crafted URL, application level
authentication can be bypassed, potentially exposing sensitive information
and programs. ASP.NET application authentication mechanisms are bypassed and
access may be granted to underlying components and data that should be
secured.
Web applications in ASP.NET may use a web.config file to control
authentication mechanisms. If a website visitor uses a backslash character
in a URL string in place of an expected forward slash, these authentication
mechanisms are bypassed and access is granted to underlying components that
should be secured. Please note that Internet Explorer automatically converts
backslashes to forward slashes, but the hex-encoded value of a backslash can
be substituted to successfully run this exploit.
All Windows servers running IIS with ASP.NET are potentially vulnerable.
Response Measures: The following techniques have been suggested by Microsoft
and others. Microsoft will be updating infomation on their website about
mitigating this vulnerability as information becomes available.
1. Install the Microsoft HTTP VPModule to check for canonicalization issues.
Instructions and downloads are available from the Microsoft website.
2. Install URLScan to block incoming URLs with blackslash characters. Note
that URLScan configuration should be tested before deploying to a production
environment; otherwise, unexpected filtering behavior may occur. URLScan can
be downloaded from the Microsoft website.
| |
| Ken Schaefer 2004-10-15, 9:25 pm |
| A patch is being worked on, and will be available once sufficient testing
has been done - we don't want a patch that fixes one hole but either opens
another -or- doesn't close the hole properly requiring yet another patch a
short while down the track -or- doesn't work properly for customers in some
parts of the world or whatever.
Please refer to this webpage for the latest information;
http://www.microsoft.com/security/incident/aspnet.mspx
Also, this is not an IIS vulnerability - it is an ASP.NET vulnerability,
which may explain why you are not seeing much traffic here.
Cheers
Ken
"Paul Cyr" <PaulCyr@discussions.microsoft.com> wrote in message
news:8A68EE78-9EAB-4945-97A9-03573F2A8B6E@microsoft.com...
>I can't believe this newsgroup is not discussing this vunerability. This is
>a
> major flaw and we need a patch from Microsoft ASAP. This affects many
> Microsoft products.
>
> Event Analysis: By sending a specially crafted URL, application level
> authentication can be bypassed, potentially exposing sensitive information
> and programs. ASP.NET application authentication mechanisms are bypassed
> and
> access may be granted to underlying components and data that should be
> secured.
>
> Web applications in ASP.NET may use a web.config file to control
> authentication mechanisms. If a website visitor uses a backslash
> character
> in a URL string in place of an expected forward slash, these
> authentication
> mechanisms are bypassed and access is granted to underlying components
> that
> should be secured. Please note that Internet Explorer automatically
> converts
> backslashes to forward slashes, but the hex-encoded value of a backslash
> can
> be substituted to successfully run this exploit.
>
> All Windows servers running IIS with ASP.NET are potentially vulnerable.
>
> Response Measures: The following techniques have been suggested by
> Microsoft
> and others. Microsoft will be updating infomation on their website about
> mitigating this vulnerability as information becomes available.
>
> 1. Install the Microsoft HTTP VPModule to check for canonicalization
> issues.
> Instructions and downloads are available from the Microsoft website.
>
> 2. Install URLScan to block incoming URLs with blackslash characters. Note
> that URLScan configuration should be tested before deploying to a
> production
> environment; otherwise, unexpected filtering behavior may occur. URLScan
> can
> be downloaded from the Microsoft website.
>
>
|
|
|
|
|