[karsten samaschke]

ASP.NET daily. Or weekly.

Major ASP.NET Forms Authentication vulnerability found!

A major ASP.NET Forms Authentication vulnerability has been found! In short: When you secure sub-directories using Forms Authentication, you'll usually define this in your web.config. If you use IE to access a sub-directory - for example http://localhost/site/secure/default.aspx - you'll be redirected to the defined login page. This will also happen, when you have a typo - say: http://localhost/site/secure\default.aspx (note the backslash). But - and this is the bug - it wont happen with Mozilla Firefox or other browsers. When you try to access a secured directory using this browsers and the malicious url, you'll be able to access the directory. Without any Authentication. This is serious!

IE is not affected, because it rewrites the url before sending the request to the server. If you type the malicious url in a different way - say:  http://localhost/site/secure%5Cdefault.aspx - it will be behave as the other browsers.

Affected systems: Every Windows before Windows 2003 with an installed .NET framework. Because in IIS6 (which is shipped with Windows 2003) Microsoft has rewritten the parser responsible for doing path normalization.

Solution: Install URLScan and run the IIS Lockdown Tool.

More information:

Posted: Oct 02 2004, 10:12 PM by xxxkarsan3020 | with 15 comment(s)
Filed under:

Comments

TrackBack said:

There is a very big hole in IIS 5 and/or ASP.NET direcorty security when using forms authentication to protect directories via the web.config file. The vulnerability was first reported on NTBugtraq with some further developments reported here on SourceForge (and here). Normally, I would be a little more upset about some publicly reporting bugs, especially those that affect me, instead of reporting them privately to Microsoft first, but in this case, Microsoft not only knows about the problem,
# October 2, 2004 11:14 AM

TrackBack said:

ASP.NET authentication security bug in IIS4/IIS5(ASP.NET on IIS6 Windows 2003 is not affected)
# October 2, 2004 1:00 PM

TrackBack said:

# October 2, 2004 3:23 PM

Lorenzo Barbieri said:

As confirmed by my friend Raffaele Rialdi in this post in Italian (http://blogs.ugidotnet.org/raffaele/archive/2004/10/02/3615.aspx) also Windows Forms authentication is vulnerable.
Of course you've to login into the website, because IIS checks for the identity of the user.
But if you protect some pages that only administrators can see, and you use the %5c char, you can see them... :-(
# October 2, 2004 4:29 PM

Ken Dopierala Jr. said:

Hi,

I wrote the code below as a programatic way to fix this for developers who use 3rd party hosting without IIS Lockdown or URLScan, or who can't install those in their environments for other reasons. The code goes in the Global.asax file and will instantly fix the problem. Good luck! Ken.

Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim rPath As String = Request.RawUrl
rPath = rPath.Replace("\", "/")
Context.RewritePath(rPath)
End Sub
# October 3, 2004 10:21 AM

Dave VanderWekke said:

I've done much the same thing in the Global.asax file, but I've added a few more of the common hacker escape characters like "..", etc.

I also made an additional enhancement to disassemble the entire URL and rebuild it. This cleans it up nicely, but there is a minor performance hit.
# October 19, 2004 2:18 PM

Prevent Foreclosure said:

I found your entry interesting do I've added a Trackback to it on my weblog :)

# September 19, 2008 4:33 PM

Kids Jacket said:

I used to be just searching at associated blog site content material for my mission research when I happened to stumble upon yours. Thanks for the useful info!

--------------------------------------------

my website is  

http://toclimb.org

Also welcome you!

# November 19, 2010 10:02 AM

brushes ipad app said:

Conceit is the quicksand of success.

-----------------------------------

# December 21, 2010 10:39 AM

cool ipad case said:

-----------------------------------------------------------

"I was questioning if you could be interested in turning out to be a visitor poster on my weblog? and in exchange you may set a hyperlink the post? Please let me know  when you get a probability and I'll send you my contact particulars - thanks.  Anyway, in my language, you'll find not very much beneficial supply such as this."

# January 2, 2011 1:11 PM

ipad covers said:

-----------------------------------------------------------

"Hi there, I observe that your revealed content material is rather understanding since it talks about plenty of interesting data. In Any Event, was questioning whether or not you'd want to interchange net inbound links with my website, as I am looking to ascertain contacts to further amplify and gain floor for my word wide web portal. I do not mind you laying my world-wide-web back links in the primary web page, just approving this back links on this specific net web page is extra than sufficient. Anyway, would you be kind enough message me back at my site if you might be eager in swapping hyperlinks, I'd seriously value that. Thanks a great deal and I hope to hear from you shortly! "

# January 7, 2011 3:34 PM

camera reviews said:

"Word can explain our thoughts, but there are numerous considered that cannot be explained. I'm certain in discussing some tasks, we're a person group, we now have only one particular mind, and also one particular mind. So, it can be difficult to us to perform collectively, except we are “clicked”. Comprehensively, with evaluating and studying quite a few projects, I realize that not most men and women implement distinctive and clear layout. But you're the best a single, you gave me the most important thing to become accomplishment and i observed “jewelry”. “Jewelry” I meant is you. You happen to be likely designer, potential internet programmer, you happen to be inventive people, and i think about you to grow to be my group to construct or cultivate some long term process in my organizations. In case you don’t mind, you are able to chat with me, so I can predict your potential and massive skills. I am welcome to accomplish that. Considering that that you are probably the most well-known particular person that I knew, it's wonderful to let you know for recruitment program will likely be held as soon as achievable."

--------------------------------------------------------------------  

I have a <a href="ericsreviews.com/">computer reviews desktop</a> Website,i love him.Mania !You are welcome to look!

# January 16, 2011 12:45 PM

Home Security Monitoring said:

I would like to thnkx for the efforts you have put in writing this website. I'm hoping the same high-grade blog post from you in the upcoming as well. Actually your creative writing abilities has inspired me to get my own web site now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.

<b><a href="articledirectory.com/.../Suggestions-for-Searching-for-a-Home-Security-Camera.html

">Home Security Monitoring software

<a/><b/>

# April 4, 2011 4:29 PM

Cafecancank said:

speed up my computer

 <a href=www.regtidy.com/>registry cleaner software</a>

windows registry cleaner

speed up my computer

registry repair

i0p0409r

# April 17, 2011 7:18 PM

rtyecript said:

I really liked the article, and the very cool blog

# August 22, 2011 2:00 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)