ASP.NET Security Vulnerability

Yesterday a vulnerability was disclosed at a security conference that enables an attacker to gain the Machine Key of an ASP.NET website.  This key is used by the server to encrypt cookies, form data and other values sent to the client.  With this key the attacker can exploit an ASP.NET site to gain admin access and possibly download files from the server such as web.config (that often contains other sensitive data like database connection strings).

What you need to do now

Go read up on the vulnerability at:

http://www.microsoft.com/technet/security/advisory/2416728.mspx
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Then make a simple change to your web.config file and add a custom error page that will prevent the attack from working (the attack in simple terms is done by sending bad requests to the target site, and watching the error codes and time to return those error codes for clues in figuring out the Machine Key).

The exploit is already making it’s way though the internet.  Microsoft is working on a patch that will be released shortly, but until then these are the only steps to protect your website.  It’s unfortunate, but the two who found the vulnerability refused to work with Microsoft and instead choose to reveal the details of the exploit at a conference and then toss thumb drives into the crowd containing code to exploit sites. 


Posted 09-18-2010 1:12 PM by Michael C. Neel

[Advertisement]

About The CodeBetter.Com Blog Network
CodeBetter.Com FAQ

Our Mission

Advertisers should contact Brendan

Subscribe
Google Reader or Homepage

del.icio.us CodeBetter.com Latest Items
Add to My Yahoo!
Subscribe with Bloglines
Subscribe in NewsGator Online
Subscribe with myFeedster
Add to My AOL
Furl CodeBetter.com Latest Items
Subscribe in Rojo

Member Projects
DimeCasts.Net - Derik Whittaker

Friends of Devlicio.us
Red-Gate Tools For SQL and .NET

NDepend

SlickEdit
 
SmartInspect .NET Logging
NGEDIT: ViEmu and Codekana
LiteAccounting.Com
DevExpress
Fixx
NHibernate Profiler
Unfuddle
Balsamiq Mockups
Scrumy
JetBrains - ReSharper
Umbraco
NServiceBus
RavenDb
Web Sequence Diagrams
Ducksboard<-- NEW Friend!

 



Site Copyright © 2007 CodeBetter.Com
Content Copyright Individual Bloggers

 

Community Server (Commercial Edition)