asp.net announcements: Important Information on ASP.NET Vulnerability -- asp.net announcements

You're in the

asp.net announcements

group:

Important Information on ASP.NET Vulnerability

Ken Cox [Microsoft MVP]
10/6/2004 8:47:14 AM

asp.net announcements:

"Microsoft has posted guidance that protects against a reported
vulnerability in all versions of ASP.NET that could allow a Web site visitor
to view secured content by using specially crafted requests to a Web server.
"

Here's a suggested fix:

Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <>
Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub
</script>

Global.asax code sample ( C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) !=
Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>

For more information visit here.

http://www.microsoft.com/security/incident/aspnet.mspx

RE: Important Information on ASP.NET Vulnerability

Geeb
10/9/2004 3:03:08 PM

I've been installing this and testing the vpmodule.msi to prevent this issue
and have yet to see that it is adding the
'microsoft.web.validatepathmodule.dll' that it states should be in KB 887289.
The package is updating the machine.config, but not installing the dll. I've
been able to duplicate this on Win2k/IIS 5.0/.NET FW v1.1SP1 and
Win2003/IIS6/.NET FWv1.1 SP1. It states it installs successfully everytime
though.
Additionally, I've attempted to to manually update it per the KB and when
extracting the package, I get this Installer error:
Product: Microsoft ASP.NET ValidatePatch Module -- The installer has
encountered an unexpected error installing this package. This may indicate a
problem with this package. The error code is 2203. The arguments are
c:\temp\vpmodule.msi, -2147287008.

Re: Important Information on ASP.NET Vulnerability

Scott Allen
10/9/2004 10:19:00 PM

I've done a couple machines, and other than causing a conflict with
CAS in Reporting Services I have not had any problems. The module
installs and I can see the assembly in the GAC.

--
Scott
http://www.OdeToCode.com/

On Sat, 9 Oct 2004 15:03:08 -0700, "Geeb"
[quoted text, click to view]

Re: Important Information on ASP.NET Vulnerability

Geeb
10/10/2004 7:27:03 AM

I've now installed it on a third platform (Win2k/IIS/.netFWv1.1SP1) and it
did put the module in the GAC, however, it didn't place the dll on the system
and the codebase location is blank on the module. If you do the manual steps,
you will have the dll on the system and the codebase location is set to the
dir of the dll.
So, I'm confused if the dll is actually intended to be on the system or not
to ensure the GAC module is working.

Also, I figured out the Installer issue and I can extract it OK now.

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages in the asp.net announcements group.

home · blog · groups

Questions? Comments? Contact the dn