[karsten samaschke]

ASP.NET daily. Or weekly.

Major ASP.NET Forms Authentication vulnerability found!

A major ASP.NET Forms Authentication vulnerability has been found! In short: When you secure sub-directories using Forms Authentication, you'll usually define this in your web.config. If you use IE to access a sub-directory - for example http://localhost/site/secure/default.aspx - you'll be redirected to the defined login page. This will also happen, when you have a typo - say: http://localhost/site/secure\default.aspx (note the backslash). But - and this is the bug - it wont happen with Mozilla Firefox or other browsers. When you try to access a secured directory using this browsers and the malicious url, you'll be able to access the directory. Without any Authentication. This is serious!

IE is not affected, because it rewrites the url before sending the request to the server. If you type the malicious url in a different way - say:  http://localhost/site/secure%5Cdefault.aspx - it will be behave as the other browsers.

Affected systems: Every Windows before Windows 2003 with an installed .NET framework. Because in IIS6 (which is shipped with Windows 2003) Microsoft has rewritten the parser responsible for doing path normalization.

Solution: Install URLScan and run the IIS Lockdown Tool.

More information:

Posted: Oct 02 2004, 10:12 PM by xxxkarsan3020 | with 7 comment(s)
Filed under:

Comments

TrackBack said:

There is a very big hole in IIS 5 and/or ASP.NET direcorty security when using forms authentication to protect directories via the web.config file. The vulnerability was first reported on NTBugtraq with some further developments reported here on SourceForge (and here). Normally, I would be a little more upset about some publicly reporting bugs, especially those that affect me, instead of reporting them privately to Microsoft first, but in this case, Microsoft not only knows about the problem,
# October 2, 2004 11:14 AM

TrackBack said:

ASP.NET authentication security bug in IIS4/IIS5(ASP.NET on IIS6 Windows 2003 is not affected)
# October 2, 2004 1:00 PM

TrackBack said:

# October 2, 2004 3:23 PM

Lorenzo Barbieri said:

As confirmed by my friend Raffaele Rialdi in this post in Italian (http://blogs.ugidotnet.org/raffaele/archive/2004/10/02/3615.aspx) also Windows Forms authentication is vulnerable.
Of course you've to login into the website, because IIS checks for the identity of the user.
But if you protect some pages that only administrators can see, and you use the %5c char, you can see them... :-(
# October 2, 2004 4:29 PM

Ken Dopierala Jr. said:

Hi,

I wrote the code below as a programatic way to fix this for developers who use 3rd party hosting without IIS Lockdown or URLScan, or who can't install those in their environments for other reasons. The code goes in the Global.asax file and will instantly fix the problem. Good luck! Ken.

Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim rPath As String = Request.RawUrl
rPath = rPath.Replace("\", "/")
Context.RewritePath(rPath)
End Sub
# October 3, 2004 10:21 AM

Dave VanderWekke said:

I've done much the same thing in the Global.asax file, but I've added a few more of the common hacker escape characters like "..", etc.

I also made an additional enhancement to disassemble the entire URL and rebuild it. This cleans it up nicely, but there is a minor performance hit.
# October 19, 2004 2:18 PM

Prevent Foreclosure said:

I found your entry interesting do I've added a Trackback to it on my weblog :)

# September 19, 2008 4:33 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)