Massive ASP.Net Forms Authentication vulnerability

C

Craig

A couple of key points here:

"Confirm a user is who they should be, use the roles system in ASP.NET on
EVERY page that should be secured."
....

"Do not just rely on the Web.Config settings"

Since I wrote my first forms authentication site, I always ensured on every
page requiring authorization that the user's role allowed him access to the
page using the roles system and a few other custom methods. It's just a
habit carried over from classic asp. Stephen Fraser has several good
examples of how to avoid this particular exploit in his CMS.NET product
(http://www.gotdotnet.com/workspaces/directory.aspx?&Column=WorkspaceName&Di
rection=ASC&ST=cms.net) although he never mentions the vulnerability per se.

Having said that, these MS "silly" vulnerabilites have become quite
tiresome. I really don't like having to constantly convince my bosses not
to scrap ms development products altogether in favor of linux based tools.

My 2¢
Craig
 
G

Greg Burns

I just tried this (the \) in FireFox preview release 1 and couldn't
duplicate.

I also tried it (the %5C) in IE 5.5 and IE 6 without success.

Is this for real?

Greg
 
G

Guest

I've been able to repro it, and then not able to after applying framework 1.1
SP1 - don't know about 1.0 installations.

Greg Burns said:
I just tried this (the \) in FireFox preview release 1 and couldn't
duplicate.

I also tried it (the %5C) in IE 5.5 and IE 6 without success.

Is this for real?

Greg
 
G

Greg Burns

I assume you mean SP1 installed on the server hosting the ASP.NET site? My
server is still Framework 1.1 no SP applied...

(My test of IE 5.5 was done through a Citrix terminal session with no
framework on the client at all)

Greg


Greg Hurlman said:
I've been able to repro it, and then not able to after applying framework
1.1
SP1 - don't know about 1.0 installations.
 
R

Ryan Taylor

Just my two cents.

I have been able to replicate this bug using Firefox, IE on a Windows XP SP1
system, with .NET 1.1.4322.573 and .NET SP1 running IIS 5.0.

I have not been able to replicate this on Windows 2003 Server, with .NET
1.1.4322.573 and .NET SP1 running IIS 6.0.

Ryan Taylor
 
J

John Saunders

Greg Hurlman said:
Yes, apparently the URL normalization that IIS 6.0 manages is mitigating
this
particular issue.

What's worse is that now it appears to affect Windows authentication as
well
as forms auth; see
http://blogs.squaretwo.net/PermaLink.aspx?guid=4c331ad6-70c9-4370-9c6e-f2576fa2b0f1
for details.

Is there any hope of Microsoft or even an MVP giving us any word on this,
or
are they just hoping it'll go away?

I doubt that they'll speak before they have something to say. I'd assume
they've seen these posts, though if we knew that an MVP had seen these
posts, it would make me feel better.
 
G

Guest

Agreed; I realized today that MS probably has an edict from on high that they
can't say anything until a patch is released for this. I don't know if such
a thing would extend to MVPs, but a simple "yep, on it" would be good enough
for now if that's all we can get.
 
K

Ken Dopierala Jr.

Hi,

I posted this code in another thread. It goes in the Global.aspx.vb file.
My systems are already patched so I can't test it, but for those out there
who aren't allowed to patch their systems or whose hosts haven't patched
their systems give it a spin and let me know if it works. Ken.

Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim rPath As String = Request.RawUrl
rPath = rPath.Replace("\", "/")
Context.RewritePath(rPath)
End Sub

--
Ken Dopierala Jr.
For great ASP.Net web hosting try:
http://www.webhost4life.com/default.asp?refid=Spinlight

If you sign up under me and need help, email me.
 
K

Ken Dopierala Jr.

Hi,

I shouldn't of said patched. I meant I have all the latest service packs.
The exploit doesn't work on Windows 2003 Server, ASP.Net 1.0. And it
doesn't work on Windows 2000 Pro, ASP.Net 1.0. Someone in this thread said
it doesn't work on Windows 2003 Server, ASP.Net 1.1. Can anyone try Windows
2000 Server, 1.0 and 1.1? If those aren't vulnerable then this isn't a big
deal for most people. There can't be too many companies running their
production website with XP Pro. At least I hope there isn't. Ken.
 
G

Greg Burns

We are running Windows 2000 Server SP4 ASP.Net 1.1 (w/o SP1) and I was not
able to duplicate...

I am not sure if we had URL Scan installed. I will need to check.

Greg
 
T

Tom Kaminski [MVP]

Greg Hurlman said:
Is there any hope of Microsoft or even an MVP giving us any word on this,
or
are they just hoping it'll go away?

This *is not* my area of expertise, but since no one has responded yet in
this thread, I'll point these out:
http://www.microsoft.com/security/incident/aspnet.mspx
http://support.microsoft.com/?kbid=887459

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserver2003/community/centers/iis/
http://mvp.support.microsoft.com/
http://www.iisfaq.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://www.tryiis.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top