Robert McLaws: FunWithCoding.NET

Public Shared Function BrainDump(ByVal dotNet As String) As [Value]

News

<script type="text/javascript"><!-- google_ad_client = "pub-4330602465258980"; google_hints = "ASP.NET, VB.NET, C#, C#.NET, WindowsForms, .NET Framework, VS2005, Visual Studio, XAML, WinFX, Windows Workflow, WPF, WCF, Atlas, NetFX3, Visual Studio Orcas"; google_ad_width = 120; google_ad_height = 240; google_ad_format = "120x240_as"; google_ad_type = "text_image"; google_ad_channel ="4997399242"; google_color_border = "B6C9E7"; google_color_bg = "EFEFEF"; google_color_link = "0000FF"; google_color_text = "000000"; google_color_url = "002C99"; //--></script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script>
<!--
-->

You should feel free to challenge me, disagree with me, or tell me I'm completely nuts in the comments section of each blog entry, but I reserve the right to delete any comment for any reason whatsoever. That said, I will most likely only delete abusive, profane, rude, or annonymous comments, so keep it polite, please.

Blogroll

Cool .NET Articles

My .NET Tools

My Builder.com Articles

My MSKB Articles

Fixing the ASP.NET Authentication Vulnerability

I'm not going to jawjack about how important this fix is, blah blah blah. Microsoft's working on a patch. In the meantime, EVERY ASP.NET developer should add this information to their Global.asax file ASAP. If you add it to the ASAX file and not the code-behind, you won't even have to recompile the app. DO THIS NOW. Please. More Info Here.

Global.asax code sample (Visual Basic .NET)

<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
    If (Request.Path.IndexOf(chr(92)) >= 0 OR _
        System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
        Throw New HttpException(404, "Not Found")
    End If
End Sub
</script>

Global.asax code sample ( C#)

<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
    if (Request.Path.IndexOf('\\') >= 0 ||
        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
        throw new HttpException(404, "not found");
    }
}
</script>
Posted: Oct 06 2004, 08:01 AM by interscape | with 6 comment(s)

Comments

TrackBack said:

# October 6, 2004 10:59 AM

Joe said:

Surely:
EVERY ASP.NET developer should *consider whether they need to* add this information to their Global.asax file ASAP
# October 6, 2004 11:19 AM

M. Keith Warren said:

How about doing what MSFT says and adding URLscan rather than changing code.
# October 6, 2004 11:38 AM

Shannon J Hager said:

Keith, every developer can not use URLScan. Those that can should, those that can't need a code-based solution.
# October 6, 2004 12:33 PM

TrackBack said:

The hills are alive with the sound of music KB links echoed through blogosphere. As reported here here here here here here here here here here (and too many other places to mention), MS has released a bulletin regarding this vulnerability. If you want to correct the problem, you should add the code from KB article 887459 to your Global.asax (or Global.asax.cs or Global.asax.vb, as the case may be). I still recommend using more fine-grained security checks on each page like I mentioned earlier and that you run URLScan and IISLockdown (if you can). Or upgrade to IIS 6. Better yet, do all of the above.
# October 6, 2004 2:32 PM

stefandemetz said:

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/02/27441.aspx
# October 11, 2004 3:51 AM