Important Information on ASP.NET Vulnerability

  • Thread starter Ken Cox [Microsoft MVP]
  • Start date
K

Ken Cox [Microsoft MVP]

"Microsoft has posted guidance that protects against a reported
vulnerability in all versions of ASP.NET that could allow a Web site visitor
to view secured content by using specially crafted requests to a Web server.
"

Here's a suggested fix:

Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <>
Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub
</script>

Global.asax code sample ( C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) !=
Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>


For more information visit here.

http://www.microsoft.com/security/incident/aspnet.mspx
 
G

Guest

I've been installing this and testing the vpmodule.msi to prevent this issue
and have yet to see that it is adding the
'microsoft.web.validatepathmodule.dll' that it states should be in KB 887289.
The package is updating the machine.config, but not installing the dll. I've
been able to duplicate this on Win2k/IIS 5.0/.NET FW v1.1SP1 and
Win2003/IIS6/.NET FWv1.1 SP1. It states it installs successfully everytime
though.
Additionally, I've attempted to to manually update it per the KB and when
extracting the package, I get this Installer error:
Product: Microsoft ASP.NET ValidatePatch Module -- The installer has
encountered an unexpected error installing this package. This may indicate a
problem with this package. The error code is 2203. The arguments are
c:\temp\vpmodule.msi, -2147287008.

Has anyone else noticed this issue?
 
S

Scott Allen

I've done a couple machines, and other than causing a conflict with
CAS in Reporting Services I have not had any problems. The module
installs and I can see the assembly in the GAC.
 
G

Guest

I've now installed it on a third platform (Win2k/IIS/.netFWv1.1SP1) and it
did put the module in the GAC, however, it didn't place the dll on the system
and the codebase location is blank on the module. If you do the manual steps,
you will have the dll on the system and the codebase location is set to the
dir of the dll.
So, I'm confused if the dll is actually intended to be on the system or not
to ensure the GAC module is working.

Also, I figured out the Installer issue and I can extract it OK now.
 
D

Dan Kahler

The GAC isn't really intended to be viewed this way, but if it'll help you
sleep better, you can verify that the DLL actually is on your system by
going to command-line and navigating through the
"<systemroot>\Assembly\GAC\Microsoft.Web.ValidatePathModule" folder
structure.

Once you've done that, forget that this technique exists - nothing good can
come from circumventing the .NET Framework admin tools or Windows shell
hooks, so you definitely don't want to do this regularly.

Dan Kahler
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top