ASP.NET Security Vulnerability

Yesterday a vulnerability was disclosed at a security conference that enables an attacker to gain the Machine Key of an ASP.NET website.  This key is used by the server to encrypt cookies, form data and other values sent to the client.  With this key the attacker can exploit an ASP.NET site to gain admin access and possibly download files from the server such as web.config (that often contains other sensitive data like database connection strings).

What you need to do now

Go read up on the vulnerability at:

Then make a simple change to your web.config file and add a custom error page that will prevent the attack from working (the attack in simple terms is done by sending bad requests to the target site, and watching the error codes and time to return those error codes for clues in figuring out the Machine Key).

The exploit is already making it’s way though the internet.  Microsoft is working on a patch that will be released shortly, but until then these are the only steps to protect your website.  It’s unfortunate, but the two who found the vulnerability refused to work with Microsoft and instead choose to reveal the details of the exploit at a conference and then toss thumb drives into the crowd containing code to exploit sites. 

Posted 09-18-2010 1:12 PM by Michael C. Neel


About The CodeBetter.Com Blog Network
CodeBetter.Com FAQ

Our Mission

Advertisers should contact Brendan

Google Reader or Homepage Latest Items
Add to My Yahoo!
Subscribe with Bloglines
Subscribe in NewsGator Online
Subscribe with myFeedster
Add to My AOL
Furl Latest Items
Subscribe in Rojo

Member Projects
DimeCasts.Net - Derik Whittaker

Friends of
Red-Gate Tools For SQL and .NET


SmartInspect .NET Logging
NGEDIT: ViEmu and Codekana
NHibernate Profiler
Balsamiq Mockups
JetBrains - ReSharper
Web Sequence Diagrams
Ducksboard<-- NEW Friend!


Site Copyright © 2007 CodeBetter.Com
Content Copyright Individual Bloggers


Community Server (Commercial Edition)