Important Information on ASP.NET Vulnerability

Discussion in 'ASP .Net' started by Ken Cox [Microsoft MVP], Oct 6, 2004.

  1. "Microsoft has posted guidance that protects against a reported
    vulnerability in all versions of ASP.NET that could allow a Web site visitor
    to view secured content by using specially crafted requests to a Web server.
    "

    Here's a suggested fix:

    Global.asax code sample (Visual Basic .NET)
    <script language="vb" runat="server">
    Sub Application_BeginRequest(Sender as Object, E as EventArgs)
    If (Request.Path.IndexOf(chr(92)) >= 0 OR _
    System.IO.Path.GetFullPath(Request.PhysicalPath) <>
    Request.PhysicalPath) then
    Throw New HttpException(404, "Not Found")
    End If
    End Sub
    </script>

    Global.asax code sample ( C#)
    <script language="C#" runat="server">
    void Application_BeginRequest(object source, EventArgs e) {
    if (Request.Path.IndexOf('\\') >= 0 ||
    System.IO.Path.GetFullPath(Request.PhysicalPath) !=
    Request.PhysicalPath) {
    throw new HttpException(404, "not found");
    }
    }
    </script>


    For more information visit here.

    http://www.microsoft.com/security/incident/aspnet.mspx
     
    Ken Cox [Microsoft MVP], Oct 6, 2004
    #1
    1. Advertisements

  2. Ken Cox [Microsoft MVP]

    Guest Guest

    I've been installing this and testing the vpmodule.msi to prevent this issue
    and have yet to see that it is adding the
    'microsoft.web.validatepathmodule.dll' that it states should be in KB 887289.
    The package is updating the machine.config, but not installing the dll. I've
    been able to duplicate this on Win2k/IIS 5.0/.NET FW v1.1SP1 and
    Win2003/IIS6/.NET FWv1.1 SP1. It states it installs successfully everytime
    though.
    Additionally, I've attempted to to manually update it per the KB and when
    extracting the package, I get this Installer error:
    Product: Microsoft ASP.NET ValidatePatch Module -- The installer has
    encountered an unexpected error installing this package. This may indicate a
    problem with this package. The error code is 2203. The arguments are
    c:\temp\vpmodule.msi, -2147287008.

    Has anyone else noticed this issue?
     
    Guest, Oct 9, 2004
    #2
    1. Advertisements

  3. Ken Cox [Microsoft MVP]

    Scott Allen Guest

    I've done a couple machines, and other than causing a conflict with
    CAS in Reporting Services I have not had any problems. The module
    installs and I can see the assembly in the GAC.
     
    Scott Allen, Oct 10, 2004
    #3
  4. Ken Cox [Microsoft MVP]

    Guest Guest

    I've now installed it on a third platform (Win2k/IIS/.netFWv1.1SP1) and it
    did put the module in the GAC, however, it didn't place the dll on the system
    and the codebase location is blank on the module. If you do the manual steps,
    you will have the dll on the system and the codebase location is set to the
    dir of the dll.
    So, I'm confused if the dll is actually intended to be on the system or not
    to ensure the GAC module is working.

    Also, I figured out the Installer issue and I can extract it OK now.
     
    Guest, Oct 10, 2004
    #4
  5. Ken Cox [Microsoft MVP]

    Dan Kahler Guest

    The GAC isn't really intended to be viewed this way, but if it'll help you
    sleep better, you can verify that the DLL actually is on your system by
    going to command-line and navigating through the
    "<systemroot>\Assembly\GAC\Microsoft.Web.ValidatePathModule" folder
    structure.

    Once you've done that, forget that this technique exists - nothing good can
    come from circumventing the .NET Framework admin tools or Windows shell
    hooks, so you definitely don't want to do this regularly.

    Dan Kahler
     
    Dan Kahler, Oct 18, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.