URGENT ASP.NET Vulnerability

Wednesday, October 6, 2004

If you haven't heard of this elsewhere already, please review this immediately:

http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=711220

http://www.microsoft.com/security/incident/aspnet.mspx

http://support.microsoft.com/?kbid=887459

A best practice is to install URLScan as it will block some of the possible exploits mentioned in the links above. **Don't consider it a full solution though**, the global.asax solution in the KB article is the true solution.

Notes on URLScan

http://www.microsoft.com/technet/security/tools/urlscan.mspx?#e (It's hidden but the link to the download is on that page)

URLScan is an easy install but it disables asp and asa pages by default as well as exe, com and other files so I suggest you review %windir%/system32/inetsrv/urlscan/urlscan.ini to ensure that it doesn't tighten your server too much.

Note, a reset of IIS is required for any changes to take affect.

No Comments