[karsten samaschke]

ASP.NET daily. Or weekly.

ASP.NET Forms vulnerability does not only affect Forms Authentication!

It gets worse and worse: As Lorenzo Barbieri states in is weblog (http://weblogs.asp.net/lbarbieri/archive/2004/10/02/237049.aspx), the \- and %5c-vulnerability does not only affect Forms Authentication: It also affects Windows Authentication!

If you secure a path - say: http://localhost/site/secure/default.aspx - and the client (=browser) tries to access the resource using Backslashes or (even worse) the hexadecimal representation (http://localhost/site/secure\default.aspx or http://localhost/site/secure%5cdefault.aspx or a mixture of it: http://localhost/site/secure\%5cdefault.aspx), IIS does not reject the request, but allows you to enter the resource without any authentication. This affects every pre-Windows 2003 system without URLScan and / or IIS Lockdown tool.

To protect yourself from this type of vulnerability, install URLScan and execute IIS Lockdown tool!

Additional resources:

Posted: Oct 02 2004, 11:20 PM by xxxkarsan3020 | with 5 comment(s)
Filed under:


Lorenzo Barbieri said:

"IIS does not reject the request"
It's not IIS, it's the URLAuthorizationModule of ASP.NET...
# October 2, 2004 6:40 PM