|
What You Should Know About a Reported Vulnerability in Microsoft ASP.NET
Published: October 5, 2004 | Updated: October 7, 2004
Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET. Reports have indicated that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Our initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components.
Microsoft strongly advises, as a preventative measure, that all Web content owners and administrators who are running any version of ASP.NET immediately read and implement one of the suggestions made in the Microsoft Knowledge Base articles listed on this page.
Note This page was updated October 7, 2004, to include information about a newly released mitigation option, an HTTP module installer. This module protects all ASP.NET applications on a Web server against canonicalization problems that are currently known to Microsoft as of the publication date. We will continue to update this page as additional guidance and resources become available.
Guidance for Web Site Administrators
Microsoft has released an HTTP module that Web site administrators can apply to their Web server that will protect all ASP.NET applications on the server against URL canonicalization problems known to Microsoft as of the publication date. This module, as well as detailed guidance and deployment information, is available from the Microsoft Download Center.
- Microsoft ASP.NET ValidatePath module (VPModule.msi)
For additional guidance on how to install and deploy this module to help protect your servers, see Microsoft Knowledge Base Article 887289, "HTTP Module to Check for Canonicalization Issues with ASP.NET"
Guidance for ASP.NET Developers
Note If you install the HTTP module, this guidance is not necessary.
Microsoft recommends that Web site owners and developers implement the suggestions made in Microsoft Knowledge Base Article 887459, Programmatically Check for Canonicalization Issues with ASP.NET to mitigate this issue. Applying the article''''s guidance to your ASP.NET application will protect the application against URL canonicalization problems known to Microsoft as of the publication date.
In addition to this guidance, which will help protect customers against this type of security issue, Microsoft is working to provide a security update to ASP.NET that will provide additional protection for customers. We will release the update once it has reached an appropriate level of quality for deployment.
Technical Assistance
If you believe you are affected by this potential issue, contact Microsoft Product Support Services for assistance.
- For no-charge security update and virus-related support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).
- For worldwide support, contact your local Microsoft office.
Develop a Security Strategy
Get the prescriptive technical guidance, tools, training, and updates you need to plan and manage a security strategy that is right for your organization.
- Security Guidance Center for Developers and IT Pros
[C语言系列]NET 中C#的switch语句的语法 [系统软件]托拽Explore中的文件到VB.net的窗口
[系统软件]Boost库在XP+Visual C++.net中的安装 [常用软件]新配色面板:Paint.Net3.0RC1官方下载
[常用软件]用内建的“Net Meeting”聊天 [VB.NET程序]Henry的VB.NET之旅(三)—共享成员
[VB.NET程序]Henry的VB.NET之旅(二)—构造与析构 [VB.NET程序]Henry的VB.NET之旅(一)—失踪的窗体
[VB.NET程序]在托盘上显示Balloon Tooltip(VB.NET) [VB.NET程序]Henry手记-VB.NET中动态加载Treeview节点(二)
| 
注:本站部分文章源于互联网,版权归原作者所有!如有侵权,请原作者与本站联系,本站将立即删除! 本站文章除特别注明外均可转载,但需注明出处! [MinTao学以致用网] 
