ASP .NET vulnerability - update
Saturday, 25 September 2010

An additional measure is needed to fully protect against the Oracle attack on ASP .NET sites.

Banner

Scot Guthrie seems to be still bearing the weight of dealing with getting the news out about the on-going ASP .NET security problems. The latest update on his blog issues revised instructions on defending sites against the attack which basically include some additional measures.

aspnet

In addition to the previous steps you should now also install and configure the  IIS URLScan module (x86 Version or x64 Version).

Once URLScan is installed modify the UrlScan.ini file in this location:

%windir%\system32\inetsrv\urlscan\UrlScan.ini

Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. 

Add an additional “aspxerrorpath=” entry immediately below it and then save the file:

[DenyQueryStringSequences]

 aspxerrorpath=


The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error.  Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.

After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect.  To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.

Further reading

More on the ASP.NET vulnerability

New ASP .NET vulnerability

Microsoft Security Advisory 2416728 (Updated 9/24)

Understanding the ASP.NET Vulnerability

Initial Blog Post

Frequently Asked Questions Post

SharePoint Team Blog Post

Microsoft Security Response Center Blog Post

Microsoft Security Response Center Update Post

Banner


Python 2.7 To Be Maintained Until 2020
14/04/2014

The End of Life date of Python 2.7 has been extended by 5 years to 2020 to accommodate users who can't yet migrate to the Python 3. Although some Pythonistas are relieved by this news, others are infu [ ... ]



Facebook Buys Oculus VR
26/03/2014

Oculus VR, which has a virtual reality headset under development, has been snapped up by Facebook in a deal valued at $2 billion. What does this mean for the future of VR?


More News

Last Updated ( Saturday, 25 September 2010 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.