Yesterday a vulnerability was disclosed at a security conference that enables
an attacker to gain the Machine Key of an ASP.NET website. This key is used by
the server to encrypt cookies, form data and other values sent to the client.
With this key the attacker can exploit an ASP.NET site to gain admin access and
possibly download files from the server such as web.config (that often contains
other sensitive data like database connection strings).
What you need to do now
Go read up on the vulnerability at:
Then make a simple change to your web.config file and add a custom error page
that will prevent the attack from working (the attack in simple terms is done by
sending bad requests to the target site, and watching the error codes and time
to return those error codes for clues in figuring out the Machine Key).
The exploit is already making it’s way though the internet. Microsoft is
working on a patch that will be released shortly, but until then these are the
only steps to protect your website. It’s unfortunate, but the two who found the
vulnerability refused to work with Microsoft and instead choose to reveal the
details of the exploit at a conference and then toss thumb drives into the crowd
containing code to exploit sites.
09-18-2010 1:12 PM
Michael C. Neel