ASP.Net Authentication Vulnerability

  • Thread starter Thread starter Karl
  • Start date Start date
K

Karl

I realize there's an *.announce list for this sort of thing, but I imagine a
lot of people are like me and spend most of there time here, and seeing as
this is serious news, I thought I'd post:

A [major] security hole in authentication (forms, windows) has been found to
asp.net applications installed on machines running IIS 5.0 without URLScan
or IIS Lockdown Tool installed. You can learn more from:
http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237042.aspx
(note, the post only talks about forms authentication, but its been found to
affect windows authentication as well)

Karl
 
Hi Karl,

This has been talked about pretty extensively in this newsgroup. Here is
the code I wrote to fix the problem programatically for developers who can't
install URLScan or IIS Lockdown or who use a 3rd party host without those
installed. The code below goes in the Global.asax file and fixes the
problem. Good luck! Ken.

Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim rPath As String = Request.RawUrl
rPath = rPath.Replace("\", "/")
Context.RewritePath(rPath)
End Sub
 
Back
Top