Fixing the ASP.NET Authentication Vulnerability

Wednesday, October 6, 2004

I'm not going to jawjack about how important this fix is, blah blah blah. Microsoft's working on a patch. In the meantime, EVERY ASP.NET developer should add this information to their Global.asax file ASAP. If you add it to the ASAX file and not the code-behind, you won't even have to recompile the app. DO THIS NOW. Please. More Info Here.

Global.asax code sample (Visual Basic .NET)

<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
    If (Request.Path.IndexOf(chr(92)) >= 0 OR _
        System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
        Throw New HttpException(404, "Not Found")
    End If
End Sub
</script>

Global.asax code sample ( C#)

<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
    if (Request.Path.IndexOf('\\') >= 0 ||
        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
        throw new HttpException(404, "not found");
    }
}
</script>

Surely:

EVERY ASP.NET developer should *consider whether they need to* add this information to their Global.asax file ASAP

Joe - Wednesday, October 6, 2004 3:19:00 PM

How about doing what MSFT says and adding URLscan rather than changing code.

M. Keith Warren - Wednesday, October 6, 2004 3:38:00 PM

Keith, every developer can not use URLScan. Those that can should, those that can't need a code-based solution.

Shannon J Hager - Wednesday, October 6, 2004 4:33:00 PM

Global.asax code sample (Visual Basic .NET)

Global.asax code sample ( C#)

3 Comments