Hi All,

Recently there has been public disclosure of a security flaw in security aspect of Asp.net which was of a very severe nature.

Especially if you are already having an Asp.net application deployed and is sharing some really confidential information.

Since this was publicly disclosed recently and Microsoft has taken an immediate step to get a work around initially to prevent your apps from being vulnerable.
Most concerning thing is that this vulnerability exists in all versions of ASP.NET and so if you or your customer has an application that is vulnerable then please give this article a look to ensure you are not being hacked due to this security flaw.

What does the vulnerability enable?

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

So please check the more details at the below blog that gives you information about:
How the Vulnerability Works
How to Workaround The Vulnerability

Enabling the Workaround on ASP.NET V1.0 to V3.5

Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0

How to Verify if the Workaround is Enabled

How to Find Vulnerable ASP.NET Applications on Your Web Server

How to Find More Information about this Vulnerability

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Currently there is just a workaround but Microsoft is planning to release a patch pretty soon.

Thanks & Regards,

Fazal

Advertisements