Ignition Development Blog

Sure, we do lots of great things, but you’re probably most interested in our websites and custom web applications

More on the ASP.NET Security vulnerability

The past week has contained a bit of uncertainty around the vulnerability to ASP.NET’s security. The good news is that Microsoft has a security update coming to address the issue tomorrow, and should be applauded for responding so quickly. You only have to stop for a moment and think about the level of testing required for anything affecting a product such as the .NET framework to realise that responding within a limited timeline like this is pretty impressive indeed.

However for those who want a bit more technical info (i.e. people who are simply curious about how this stuff works), here’s a collection of interesting posts on the subject.

Firstly, let’s set the scene with a short video demonstrating the exploit in action against DNN. You should note that DNN is a good target due to the fact that some of their default administrator usernames are well known – this makes it easier to exploit the vulnerability. It’s a reminder as to why it’s always good to change these default usernames whenever you have the option to do so.


Now, for some links. Firstly this one - HOWTO: Verify that custom error handling solutions do not expose padding oracle – is a useful post with some good technical info, and a more useful way to verify vulnerability by using Fiddler to visit a couple of variations on requests to WebResource.axd. There’s some good discussions and clarifications that take place in the replies, which are good reading if you want a bit more background information.

Next is a Padding oracle detection script, which comes from the same author as above. This can be used to help verify whether your sites have been properly patched or not.

Finally, a couple of links from ScottGu - Update on ASP.NET Vulnerability and ASP.NET Security Update Shipping Tuesday, Sept 28th.

Stay safe out there!



posted on Wednesday, September 29, 2010 10:00 PM |


# re: More on the ASP.NET Security vulnerability

Posted by Deepak on 10/20/2011 10:48 PM

Thanks for the info's! Your article actually helped me.

Would you like to post a comment?
Post title
Your name
Your email (optional)
Website (optional)

What do you want to say?

Please add 6 and 1 and type the answer here: