[ISN] Microsoft Probes Flaw in ASP.NET

InfoSec News isn at c4i.org
Sat Oct 9 05:03:11 EDT 2004


http://www.eweek.com/article2/0,1759,1668443,00.asp

By Simone Kaplan 
October 7, 2004 

Microsoft Corp. is investigating a reported security flaw in its
ASP.NET technology that could allow intruders to access
password-protected sections of a Web site simply by altering a URL.

The hole involves a glitch in ASP.NET's processing of URLs, a process
known as canonicalization. According to an advisory posted Tuesday on
Microsoft's Web site, "an attacker can send specially crafted requests
to the server and view secured content without providing the proper
credentials."

ASP.NET, the latest iteration of Microsoft's ASP (Active Server Pages)  
technology, is a Web development platform for building Web-centric
applications.

Microsoft has yet to post a fix for the problem, but in its advisory,
the company offered guidelines to help users temporarily secure their
sites against intrusion attempts until a permanent patch is delivered.

"It has been reported that a malicious user could provide a specially
formed URL that could result in the unsecured serving of unintended
content," a Microsoft spokeswoman said. "It's under investigation, and
we're working on finding an appropriate solution."

The company has yet to determine what the permanent fix will be or
when it will be posted, she said.

According to Microsoft, the problem exists in ASP.NET running on
Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional
and Windows Server 2003, but it does not affect ASP. That means the
problem affects a lot of users. A story on Netcraft.com reports that
ASP.NET is now running on more than 2.9 million active sites.

The reported security hole allows visitors to a password-protected
ASP.NET site to put a forward-slash, a space or "%5c" in the place of
the backslash in the site's URL and bypass the password login screen,
as well as bypass protections on administrative areas of the site.

Microsoft is asking ASP.NET users to add an event handler to force
real path validation for all Web server requests.an approach that will
keep intruders from gaining access to sensitive data but could result
in a performance or security tradeoff of its own, said Arian Evans,
senior security engineer at Kansas City, Mo.-based FishNet Security.

"[The fix] will impact performance because every single request that's
made to the Web server will have to be validated before it's either
authenticated or rejected," Evans said. "That's a lot of requests to
be processed."

Evans pointed out that Microsoft is no stranger to security problems
related to password or directory traversal. In December, the company
discovered a bug in Internet Explorer that let crackers rip off Web
pages more easily.

The vulnerability has generated lively discussion on Slashdot. While
many are lamenting that it's yet another Microsoft security breach,
one poster noted that the vulnerability is fairly easy to remedy:

"While I think the flaw itself is a concern, the 'rewrite their
applications' quote is pure drivel. All that's required is a couple of
lines in Global.asax. That's hardly a rewrite," said a poster
identified as Timesprout.





More information about the ISN mailing list