473,405 Members | 2,444 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > important information on asp.net vulnerability

Join Bytes to post your question to a community of 473,405 software developers and data experts.

Important Information on ASP.NET Vulnerability

"Microsoft has posted guidance that protects against a reported
vulnerability in all versions of ASP.NET that could allow a Web site visitor
to view secured content by using specially crafted requests to a Web server.
"

Here's a suggested fix:

Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <>
Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub
</script>

Global.asax code sample ( C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) !=
Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>
For more information visit here.

http://www.microsoft.com/security/incident/aspnet.mspx

Nov 18 '05 #1
4 1706
I've been installing this and testing the vpmodule.msi to prevent this issue
and have yet to see that it is adding the
'microsoft.web.validatepathmodule.dll' that it states should be in KB 887289.
The package is updating the machine.config, but not installing the dll. I've
been able to duplicate this on Win2k/IIS 5.0/.NET FW v1.1SP1 and
Win2003/IIS6/.NET FWv1.1 SP1. It states it installs successfully everytime
though.
Additionally, I've attempted to to manually update it per the KB and when
extracting the package, I get this Installer error:
Product: Microsoft ASP.NET ValidatePatch Module -- The installer has
encountered an unexpected error installing this package. This may indicate a
problem with this package. The error code is 2203. The arguments are
c:\temp\vpmodule.msi, -2147287008.

Has anyone else noticed this issue?
Nov 18 '05 #2
I've done a couple machines, and other than causing a conflict with
CAS in Reporting Services I have not had any problems. The module
installs and I can see the assembly in the GAC.

--
Scott
http://www.OdeToCode.com/

On Sat, 9 Oct 2004 15:03:08 -0700, "Geeb"
<Ge**@discussions.microsoft.com> wrote:
I've been installing this and testing the vpmodule.msi to prevent this issue
and have yet to see that it is adding the
'microsoft.web.validatepathmodule.dll' that it states should be in KB 887289.
The package is updating the machine.config, but not installing the dll. I've
been able to duplicate this on Win2k/IIS 5.0/.NET FW v1.1SP1 and
Win2003/IIS6/.NET FWv1.1 SP1. It states it installs successfully everytime
though.
Additionally, I've attempted to to manually update it per the KB and when
extracting the package, I get this Installer error:
Product: Microsoft ASP.NET ValidatePatch Module -- The installer has
encountered an unexpected error installing this package. This may indicate a
problem with this package. The error code is 2203. The arguments are
c:\temp\vpmodule.msi, -2147287008.

Has anyone else noticed this issue?


Nov 18 '05 #3
I've now installed it on a third platform (Win2k/IIS/.netFWv1.1SP1) and it
did put the module in the GAC, however, it didn't place the dll on the system
and the codebase location is blank on the module. If you do the manual steps,
you will have the dll on the system and the codebase location is set to the
dir of the dll.
So, I'm confused if the dll is actually intended to be on the system or not
to ensure the GAC module is working.

Also, I figured out the Installer issue and I can extract it OK now.

"Scott Allen" wrote:
I've done a couple machines, and other than causing a conflict with
CAS in Reporting Services I have not had any problems. The module
installs and I can see the assembly in the GAC.

--
Scott
http://www.OdeToCode.com/

Nov 18 '05 #4
The GAC isn't really intended to be viewed this way, but if it'll help you
sleep better, you can verify that the DLL actually is on your system by
going to command-line and navigating through the
"<systemroot>\Assembly\GAC\Microsoft.Web.ValidateP athModule" folder
structure.

Once you've done that, forget that this technique exists - nothing good can
come from circumventing the .NET Framework admin tools or Windows shell
hooks, so you definitely don't want to do this regularly.

Dan Kahler
"Geeb" <Ge**@discussions.microsoft.com> wrote in message
news:53**********************************@microsof t.com...
I've now installed it on a third platform (Win2k/IIS/.netFWv1.1SP1) and it
did put the module in the GAC, however, it didn't place the dll on the system and the codebase location is blank on the module. If you do the manual steps, you will have the dll on the system and the codebase location is set to the dir of the dll.
So, I'm confused if the dll is actually intended to be on the system or not to ensure the GAC module is working.

Also, I figured out the Installer issue and I can extract it OK now.

"Scott Allen" wrote:
I've done a couple machines, and other than causing a conflict with
CAS in Reporting Services I have not had any problems. The module
installs and I can see the assembly in the GAC.

--
Scott
http://www.OdeToCode.com/

Nov 18 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

16
Directory Traversal Vulnerability
by: Tim Tyler | last post by:
Today's: "Directory Traversal Vulnerability": - http://secunia.com/advisories/10955/ More evidence tht PHP was hacked together rapidly without a great deal of thought being given to security....
PHP
67
How important is validation?
by: Scott Meyers | last post by:
I have a web site that, due to maintenance by several people, some of whom are fairly clueless about HTML and CSS, etc. (notably me), has gotten to the point where I'm pretty sure it's suffering...
HTML / CSS
1
Security vulnerability caused by MSDN page for sscanf
by: Norman Diamond | last post by:
Page http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vclib/html/_crt_sscanf.2c_.swscanf.asp says: > Security Note When reading a string with sscanf, always specify a width >...
.NET Framework
12
Massive ASP.Net Forms Authentication vulnerability
by: Greg Hurlman | last post by:
http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754 This is, IMNSHO, the worst thing I've ever heard of. Spread the word, test your sites, and send angry emails to...
ASP.NET
1
ASP.NET Security Vulnerability Discovered. Install the patch!
by: Steve C. Orr [MVP, MCSD] | last post by:
There's a newly discovered vulnerability in ASP.NET that you all need to know about. The easiest solution (which I recommend) is to install VPModule.msi from the following link, but Microsoft...
ASP.NET
33
Which hardware upgrades are more important
by: Jeff | last post by:
I know this is a difficult one to answer, but I am interested in opinions on what hardware upgrades would be recommended with the following. Access 2000 running in a split config, but all in...
Microsoft Access / VBA
0
Asp.net Important Topics.
by: shamirza | last post by:
· What is view state and use of it? The current property settings of an ASP.NET page and those of any ASP.NET server controls contained within the page. ASP.NET can detect when a form is requested...
ASP.NET
5
Work around for db2diag.log vulnerability?
by: Norm | last post by:
Does anyone have any suggestions for securing against this vulnerability: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1027 Fixes are not yet available from IBM. They will be in FP2 for V9...
DB2 Database
1
ASP Vulnerability Scanner
by: Cat | last post by:
Hi. Would you recommend a ASP (IIS) web server vulnerability scanner? If I install the all the updates from Microsoft, then I don't need vulnerability scanners? I was on a chat, I installed all...
ASP / Active Server Pages
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!