A place where we write words Ignition Blog

Welcome to the Ignition Development blog, where we talk about a wide range of topics.

More on the ASP.NET Security vulnerability

The past week has contained a bit of uncertainty around the vulnerability to ASP.NET’s security. The good news is that Microsoft has a security update coming to address the issue tomorrow, and should be applauded for responding so quickly. You only have to stop for a moment and think about the level of testing required for anything affecting a product such as the .NET framework to realise that responding within a limited timeline like this is pretty impressive indeed.

However for those who want a bit more technical info (i.e. people who are simply curious about how this stuff works), here’s a collection of interesting posts on the subject.

Firstly, let’s set the scene with a short video demonstrating the exploit in action against DNN. You should note that DNN is a good target due to the fact that some of their default administrator usernames are well known – this makes it easier to exploit the vulnerability. It’s a reminder as to why it’s always good to change these default usernames whenever you have the option to do so.

 

Now, for some links. Firstly this one - HOWTO: Verify that custom error handling solutions do not expose padding oracle – is a useful post with some good technical info, and a more useful way to verify vulnerability by using Fiddler to visit a couple of variations on requests to WebResource.axd. There’s some good discussions and clarifications that take place in the replies, which are good reading if you want a bit more background information.

Next is a Padding oracle detection script, which comes from the same author as above. This can be used to help verify whether your sites have been properly patched or not.

Finally, a couple of links from ScottGu - Update on ASP.NET Vulnerability and ASP.NET Security Update Shipping Tuesday, Sept 28th.

Stay safe out there!

 

-Ross


Posted on Wednesday, September 29, 2010 10:00 PM ·

Comments

Gravatar
# re: More on the ASP.NET Security vulnerability

Posted by Deepak on 10/20/2011 10:48 PM

Thanks for the info's! Your article actually helped me.



Would you like to post a comment?

Post title
Your name
Your email (optional)
Website (optional)


What do you want to say?

 

Please add 5 and 1 and type the answer here: