Ziff Davis Internet
News & Resources for the IT Reseller
NewsReviewsTech AnalysisCommentarySecurityLinux/Unix
My Account |  

Microsoft Probes Flaw in ASP.NET
By Simone Kaplan

Updated: A glitch in the platform’s processing of URLs could allow intruders to access password-protected sections of a Web site simply by altering a URL.

Microsoft Corp. is investigating a reported security flaw in its ASP.NET technology that could allow intruders to access password-protected sections of a Web site simply by altering a URL.

The hole involves a glitch in ASP.NET’s processing of URLs, a process known as canonicalization. According to an advisory posted Tuesday on Microsoft’s Web site, “an attacker can send specially crafted requests to the server and view secured content without providing the proper credentials.”


ASP.NET, the latest iteration of Microsoft’s ASP (Active Server Pages) technology, is a Web development platform for building Web-centric applications.

Late Thursday, Microsoft posted to its Web site a downloadable fix for the problem. The fix consists of an ASP.Net HTTP module that “will protect all ASP.NET applications against all potential canonicalization problems known to Microsoft,” according to the company.

In its advisory, posted earlier in the week, the company also offered guidelines to help users temporarily secure their sites against intrusion attempts until a permanent patch is delivered.

“It has been reported that a malicious user could provide a specially formed URL that could result in the unsecured serving of unintended content,” a Microsoft spokeswoman said. “It’s under investigation, and we’re working on finding an appropriate solution.”

The company has yet to determine what the permanent fix will be or when it will be posted, she said.

eWEEK.com Special Report: Internet Security

According to Microsoft, the problem exists in ASP.NET running on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional and Windows Server 2003, but it does not affect ASP. That means the problem affects a lot of users. A story on Netcraft.com reports that ASP.NET is now running on more than 2.9 million active sites.

The reported security hole allows visitors to a password-protected ASP.NET site to put a forward-slash, a space or “%5c” in the place of the backslash in the site’s URL and bypass the password login screen, as well as bypass protections on administrative areas of the site.

Microsoft is asking ASP.NET users to add an event handler to force real path validation for all Web server requests—an approach that will keep intruders from gaining access to sensitive data but could result in a performance or security tradeoff of its own, said Arian Evans, senior security engineer at Kansas City, Mo.-based FishNet Security.

“[The fix] will impact performance because every single request that’s made to the Web server will have to be validated before it’s either authenticated or rejected,” Evans said. “That’s a lot of requests to be processed.”

Evans pointed out that Microsoft is no stranger to security problems related to password or directory traversal. In December, the company discovered a bug in Internet Explorer that let crackers rip off Web pages more easily.

The vulnerability has generated lively discussion on Slashdot. While many are lamenting that it’s yet another Microsoft security breach, one poster noted that the vulnerability is fairly easy to remedy:

“While I think the flaw itself is a concern, the ‘rewrite their applications’ quote is pure drivel. All that’s required is a couple of lines in Global.asax. That’s hardly a rewrite,” said a poster identified as Timesprout.

Editor’s Note: This story was updated to add information about the fix for the ASP.NET vulnerability.

PointerCheck out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

horizontal rule

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page



Free Hands-On Training Lab
Find out how key features of SBS 2003 can help you open up a new line of revenue. Register now >>

SBS 2003 Sales Reference Card
This handy reference card contains features at a glance, sales objection handling, pricing guidelines & more. Get it now >>

Microsoft Empower for ISVs rewards your big idea with big benefits and support.
Access key development tools at a low cost to help you develop that idea into an innovative application. Learn more >>

Changing Business for the Better: A Practical Guide to BPM

This paper provides an overview of the benefits of BPM technologies and identifies the characteristics of BPM solutions that lead to successful BPM process-centric integration projects.

Download this free white paper to learn more!

>> brought to you by IBM

Attention Microsoft Solution Providers!

Want to gain a competitive edge? Try Microsoft Watch – FREE!

Each week you receive:
  • Microsoft News and Insider Information
  • Expert Analysis
  • Code Names of Upcoming MS Products
  • Year-Ahead Calendar, updated monthly

    Click Here to sign up now for your FREE 14 Day Trial to Microsoft Watch.
  • Add up to $1,200 of value with the new BONUS PACKS.
  • HP PartnerONE: The key to increasing your margins.
  • HP Compaq nc6129 Business Notebook. $1149 Smart Buy
  • HP xw8200 workstation. Smart Buy price $1549.
  • ProLiant DL360G4p server: HP Smart Buy price $1647
  • Microsoft files new anti-piracy lawsuits. Learn more.
  • New offers with Windows Genuine Advantage.

    •Catalog Publishing
    •Dealer Management
    •Order Configuration
    •Price Management
    •Sales Management

    View All >

    Search the jobs you want & get the info you need – post your resume here today!

    Powered by Dice
    White Boxes
    MS vs. IBM
    Linux in the Channel
    Stay in the Zone
    Put The Channel Insider on your desktop.
    Subscribe to The Channel Insider: Channel News, Reviews, Resources and more.

    Make your selections below:

    Contract Watch

    The Channel Insider Update

    Preferred e-mail format:

    Enter your e-mail:

    view all newsletters >>
    Channel Insider Quick Links
    Ziff Davis Footer Logo