October 2004 - Posts
It gets worse and worse: As Lorenzo Barbieri states in is weblog (http://weblogs.asp.net/lbarbieri/archive/2004/10/02/237049.aspx), the \- and %5c-vulnerability does not only affect Forms Authentication: It also affects Windows Authentication!
If you secure a path - say: http://localhost/site/secure/default.aspx - and the client (=browser) tries to access the resource using Backslashes or (even worse) the hexadecimal representation (http://localhost/site/secure\default.aspx or http://localhost/site/secure%5cdefault.aspx or a mixture of it: http://localhost/site/secure\%5cdefault.aspx), IIS does not reject the request, but allows you to enter the resource without any authentication. This affects every pre-Windows 2003 system without URLScan and / or IIS Lockdown tool.
To protect yourself from this type of vulnerability, install URLScan and execute IIS Lockdown tool!
Additional resources:
A major ASP.NET Forms Authentication vulnerability has been found! In short: When you secure sub-directories using Forms Authentication, you'll usually define this in your web.config. If you use IE to access a sub-directory - for example http://localhost/site/secure/default.aspx - you'll be redirected to the defined login page. This will also happen, when you have a typo - say: http://localhost/site/secure\default.aspx (note the backslash). But - and this is the bug - it wont happen with Mozilla Firefox or other browsers. When you try to access a secured directory using this browsers and the malicious url, you'll be able to access the directory. Without any Authentication. This is serious!
IE is not affected, because it rewrites the url before sending the request to the server. If you type the malicious url in a different way - say: http://localhost/site/secure%5Cdefault.aspx - it will be behave as the other browsers.
Affected systems: Every Windows before Windows 2003 with an installed .NET framework. Because in IIS6 (which is shipped with Windows 2003) Microsoft has rewritten the parser responsible for doing path normalization.
Solution: Install URLScan and run the IIS Lockdown Tool.
More information:
Two days ago I was informed about my fourth MVP award. I'm really proud of this and I want to thank Microsoft for this. And I will continue to do community work. This is a promise!
...but I was quite busy: I wrote my very first Java book. And I worked a lot. And I finally bought a new laptop - it is an IBM ThinkPad R50p, which I don't want to miss anymore... :-)
More Posts