Hot Item - ASP.NET Security Vulnerability

I'm sure many of you have already heard of today's news... but if not, please read below... (Information from D/FW's Rock-Star Developer Evangelist - Brian Moore - Thanks Brian).

Description

Microsoft is currently investigating a reported vulnerability in Microsoft ASP.NET. An attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This reported vulnerability exists in ASP.NET and does not affect ASP.

This issue affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003.

The underlying issue is that ASP.NET is failing to perform proper canonicalization of some URLs. Microsoft Knowledge Base (KB) article 887459, "Programmatically Checking for Canonicalization Issues with ASP.NET," describes how to add additional safeguards to an ASP.NET application to help protect against common canonicalization issues, such as those related to this reported vulnerability.

Resources

• http://www.microsoft.com/security/incident/aspnet.mspx
• http://support.microsoft.com/?kbid=887459

Follow-Up:

Spoke with the ASP.NET Team and they have confirmed that all versions of ASP.NET on all operating systems may be susceptible to this potential exploit. They strongly recommend you apply the following code to the Global.asax for each of your applications.

      Global.asax code sample (Visual Basic .NET)

Sub Application_BeginRequest(Sender as Object, E as EventArgs)

    If (Request.Path.IndexOf(chr(92)) >= 0 OR _

        System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then

        Throw New HttpException(404, "Not Found")

    End If

End Sub

Global.asax code sample (C#)

void Application_BeginRequest(object source, EventArgs e) {

    if (Request.Path.IndexOf('\\') >= 0 ||

        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {

        throw new HttpException(404, "not found");

    }

}

The ASP.NET team is continuing to work on this problem and will post more information once it becomes available to http://www.microsoft.com/security/incident/aspnet.mspx.