ASP.NET Forms vulnerability does not only affect Forms Authentication! - [karsten samaschke]

Recent Posts

Sponsors

advertise here

Tags

Navigation

ASP Links

ASP FAQ

ASP.NET Links

Bloggers

Archives

ASP.NET Forms vulnerability does not only affect Forms Authentication!

It gets worse and worse: As Lorenzo Barbieri states in is weblog (http://weblogs.asp.net/lbarbieri/archive/2004/10/02/237049.aspx), the \- and %5c-vulnerability does not only affect Forms Authentication: It also affects Windows Authentication!

If you secure a path - say: http://localhost/site/secure/default.aspx - and the client (=browser) tries to access the resource using Backslashes or (even worse) the hexadecimal representation (http://localhost/site/secure\default.aspx or http://localhost/site/secure%5cdefault.aspx or a mixture of it: http://localhost/site/secure\%5cdefault.aspx), IIS does not reject the request, but allows you to enter the resource without any authentication. This affects every pre-Windows 2003 system without URLScan and / or IIS Lockdown tool.

To protect yourself from this type of vulnerability, install URLScan and execute IIS Lockdown tool!

Additional resources:

URLScan: http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
IIS Lockdown tool: http://www.microsoft.com/technet/security/tools/locktool.mspx

Posted: Oct 02 2004, 11:20 PM by xxxkarsan3020 | with 6 comment(s)

Filed under: ASP.NET

Comments

Lorenzo Barbieri said:

"IIS does not reject the request"
It's not IIS, it's the URLAuthorizationModule of ASP.NET...

# October 2, 2004 6:40 PM

TrackBack said:

# October 2, 2004 10:28 PM

TrackBack said:

# October 8, 2004 1:46 PM

remove-ware said:

<a href=http://demonwolfe.net/figure/adaware-and-adware.html>remove ware</a>

# October 26, 2004 6:02 PM

TrackBack said:

# October 31, 2004 1:02 PM

TrackBack said:

^_^,Pretty Good!

# April 9, 2005 11:04 PM

Leave a Comment

Title (required)

Name (required)

Your URL (optional)

Comments (required)

Remember Me?