ASP.NET vulnerability: I'm disappointed

News

Navigation

My Sites

ASP.NET vulnerability: I'm disappointed

By now you've heard about the alleged vulnerability in forms auth-protected folders. I'm ridiculously disappointed that this wasn't caught years ago because it's not entirely unlike the worm vulnerabilities of 2001 in terms of messing with the URL to get to naughty stuff.

In all fairness, I can't duplicate the exploit that someone sent me, but apparently someone can or it wouldn't have Microsoft's fullest attention.

I hope there's a fix soon, like tomorrow.

Posted: Oct 06 2004, 02:05 PM by Jeff | with 5 comment(s)

Filed under: .NET

Comments

- said:

You can't, probably because, you have URLScan turned on in IIS 5.0.

# October 6, 2004 2:47 PM

scott said:

It is actually very different from the worm vulnerabilities in that it doesn't allow execution of maliciously uploaded code. As such, it is not wormable.

It is, though, still a bad bug.

# October 6, 2004 3:01 PM

Anonymous said:

Urlscan now. Another fix is coming soon.

# October 6, 2004 3:02 PM

stefan demetz said:

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/02/27441.aspx

# October 6, 2004 4:57 PM

Jeff said:

I'm actually using IIS6... is it not affected?

# October 6, 2004 7:02 PM

Jeff and .NET

Recent Posts

Sponsors

Tags

News

Navigation

My Sites

Archives

ASP.NET vulnerability: I'm disappointed

Comments

- said:

scott said:

Anonymous said:

stefan demetz said:

Jeff said: