Lorenzo Barbieri @ Weblogs.Asp.Net

Shake your thoughts... Confessions of a MSF and .NET addicted


My articles<br><font size="1">(in English)</font>

My articles<br><font size="1">(in Italian)</font>

My old articles<br><font size="1">for <a href="http://www.objectway.it">ObjectWay SpA</a> (in Italian)</font>

My projects

The Italian Blog...<br><font size="1">(my Official Italian blog)</font>

ASP.NET vulnerability is not ONLY on Forms Autentication... Windows autentication is vulnerable too!!!

As confirmed by my friend Raffaele Rialdi (an italian MVP) in this post on his italian blog, also other types of authentication are vulnerable by the %5c or \ characters in the URL.

Try to protect a site with Windows Autentication, and then to protect some pages that only Administrators (for example) can see, using location tags.

Log into the site as a user (if you're not logged IIS will block you...), and try to go to the protected page with the %5c character, and... you can see it...

The problem (as remarked by other italian .NET experts) is in the URLAuthorizationModule, and is a classic URL Canonicalization problem (see this and this posts, from Roberto Brunetti and Daniele Bochicchio [MVP], but they're in Italian).

At the end in this post from Paolo Pialorsi (also in Italian) it's explained that other sequences can result in troubles, and that ASP.NET 2.0 (tested with the built-in web server, because IIS6 was not vulnerable by default) is not vulnerable to a single \ or %5c, but it fails with two of them...

As pointed by the post from Andrea Saltarello [MVP] and one post from me, using Windows 2003 or using URLScan will stop this problem.

Another solution is in Rob's post (in italian) and is to rewrite the URL in the global.asax or in an HTTPModule.


No Comments