ASP.Net Authentication Vulnerability

K

Karl

I realize there's an *.announce list for this sort of thing, but I imagine a
lot of people are like me and spend most of there time here, and seeing as
this is serious news, I thought I'd post:

A [major] security hole in authentication (forms, windows) has been found to
asp.net applications installed on machines running IIS 5.0 without URLScan
or IIS Lockdown Tool installed. You can learn more from:
http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237042.aspx
(note, the post only talks about forms authentication, but its been found to
affect windows authentication as well)

Karl
 
K

Ken Dopierala Jr.

Hi Karl,

This has been talked about pretty extensively in this newsgroup. Here is
the code I wrote to fix the problem programatically for developers who can't
install URLScan or IIS Lockdown or who use a 3rd party host without those
installed. The code below goes in the Global.asax file and fixes the
problem. Good luck! Ken.

Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim rPath As String = Request.RawUrl
rPath = rPath.Replace("\", "/")
Context.RewritePath(rPath)
End Sub
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Mixed Authentication, ASP.Net 2.0, IIS 5.0 3
Asp.net Important Topics. 0
Can't use forms authentication when using IIS 5
IIS 7.0 and Windows Integrated Authentication? 1
Authentication for ASP and ASP.NET apps 1
Problem with ASP.NET 2.0 Location override of Forms Authentication settings 1
Windows Authentication and Server Error 0
Authentication issues 0

Members online

Total: 24 (members: 1, guests: 23)
Robots: 304

Forum statistics

Threads
473,755
Messages
2,569,535
Members
45,007
Latest member
obedient dusk

Latest Threads

Top