ASP.NET vulnerability: I'm disappointed

Wednesday, October 6, 2004

.NET

By now you've heard about the alleged vulnerability in forms auth-protected folders. I'm ridiculously disappointed that this wasn't caught years ago because it's not entirely unlike the worm vulnerabilities of 2001 in terms of messing with the URL to get to naughty stuff.

In all fairness, I can't duplicate the exploit that someone sent me, but apparently someone can or it wouldn't have Microsoft's fullest attention.

I hope there's a fix soon, like tomorrow.

5 Comments

You can't, probably because, you have URLScan turned on in IIS 5.0.

- - Wednesday, October 6, 2004 2:47:00 PM

It is actually very different from the worm vulnerabilities in that it doesn't allow execution of maliciously uploaded code. As such, it is not wormable.

It is, though, still a bad bug.

scott - Wednesday, October 6, 2004 3:01:00 PM

Urlscan now. Another fix is coming soon.

Anonymous - Wednesday, October 6, 2004 3:02:00 PM

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/02/27441.aspx

stefan demetz - Wednesday, October 6, 2004 4:57:00 PM

I'm actually using IIS6... is it not affected?

Jeff - Wednesday, October 6, 2004 7:02:00 PM

Comments have been disabled for this content.