ASP.NET Forms Auth Vulnerability

Friday, October 1, 2004

This may be fixed in ASP.NET 1.1 SP1, and may not be a problem for W2K3. Details sketchy, but this has been reproduced.
NTBugTraq
SourceForge thread

Here's the short version:
Say you have a secure page in a subdirectory - http://site/subdirectory/securepage.aspx
If you browse to it with a backslash instead of a forward slash in a non-IE browser, you bypass forms auth: http://site/subdirectory\securepage.aspx
Alternatively, in IE you can replace the / with %5C (hex for backslash) and again bypass forms auth: http://site/subdirectory%5Csecurepage.aspx

New Vulnerablility in Asp.Net Forms Authentication which allows malicious users to read "private pages" - Looks like there's a way to bypass ASP.NET forms security, which is bad news. Reading the thread, it may be fixed in the 1.1 SP1 Framework - I couldn't reproduce the reported problem on my own server, which is running SP1. This is important enough that you should test it on your own servers though. [Via Larkware News]

No Comments