ASP.NET Security Vulnerability and prevent that

Patch to fix the ASP.NET Security Vulnerability is now available on Windows Update : ASP.NET Security Update Now Available on Windows Updates
http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspxUpdated on 01st-Oct-2010
Official patch released : ASP.NET Security Update Now Available
http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspxUpdated on 29th-Sep-2010

In this post I am going say something about ASP.NET Security Vulnerability.

This is very serious bug in ASP.NET security that allows the attacker to get sensitive information like database connection string and secure appsettings values from ASP.NET web site (web.config file). You can find more details about it here:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

and here are the FAQs:

http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx

What ASP.NET Framework provides is a handler WebResource.axd (or ScriptResource.axd, doesn’t really matter), that provides a way how to retrieve physical files of any kind from your web file system. You can see how this is supported if you add something like this on your page:

<asp:ScriptManager runat=”server” ID=”ScriptManager1″>
<CompositeScript>
<Scripts>
<asp:ScriptReference Path=”~/web.config” />
</Scripts>
</CompositeScript>
</asp:ScriptManager>

Here we set path to web.config, just playing with ASP.NET. Then run the file. we can see output of the page get renders something like below.

<script src=”/ScriptResource.axd?d=ycEQiwETfhMZkd5o_11LpmI4L71eSrGrjB4WUQB-z1FK8JRkVG-jdqKKNagaDb36HarishQCm1xQtV_PFSt2W4qR16tUC0vymsWFdtmjwxg1&amp;t=633677089732500000″ type=”text/javascript”></script>

In this the “d” parameter hold the address of the resource, in encrypted. It good so far. But,  somebody is able to encode the resource value. Once they get the right one or the encryption key, he can access anything and simply generate those keys. 🙁

How to prevent this:-

The official recommendation is to basically provide single error for any case. They suggest following settings:

<configuration>
<system.web>
<customErrors mode=”On” defaultRedirect=”~/error.html” />
</system.web>
</configuration>

or else

<location path=”WebResource.axd”>
<system.web>
<customErrors defaultRedirect=”~/error.html” mode=”On” />
</system.web>
</location>
<location path=”ScriptResource.axd”>
<system.web>
<customErrors defaultRedirect=”~/error.html” mode=”On” />
</system.web>
</location>

This to be enough to do.

Backup the site more often until the solution for this from Microsoft.

Get clear details about this from Here

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

http://devnet.kentico.com/Blogs/Martin-Hejtmanek/September-2010/How-ASP-NET-Security-Vulnerability-affects-Kentico.aspx — this cool and clear!

Enjoy while coding..!
Thanks,
Naga Harish.

6 thoughts on “ASP.NET Security Vulnerability and prevent that

  1. I really like the work that has gone into making the post. I will be sure to tell my blog buddies about your content keep up the good work. Thanks

Leave a Reply