Vulnerability in ASP.NET

[yamangman]

There is an oracle-type attack publicly released that can allow downloading of web configuration files. If your sites use web resources/script resources (i.e. if you have a pretty standard ASP.NET setup almost certainly they will) and your pages return different headers and/or content depending on the validity of the request your sites will be exposed. The workaround at the moment is to return content/headers that are the same no matter the request. More info on the workaround here: http://weblogs.asp.net/scottgu/archi...erability.aspx.

Happy coding

[scaryjim]

blech, confused. Wish they could be a bit more descriptive about how an attac might be carried out, I now have no idea whether this will affect any of my apps or not

Might have to set up custom errors just as a safe guard though. Lovely job for my first day back off holiday...

Ahha, found this:

If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application. The public disclosure demonstrated using this technique to retrieve the contents of web.config.

All my apps are 2.0, and none of them use ViewState, so it looks like I'm already mitigated from the most serious issues. Still, something to keep an eye on over the next week or so, I guess...

[yamangman]

Not sure where that quote is from but it is incorrect. Viewstate is not the issue, but the AES encryption used to load in webresource/scriptresource files. You need to ensure requests for these and any other files that use the same mechanism do not return different data that would allow an oracle-type attack program to maintan a list of (un)succesful requests.

[scaryjim]

The quote's from this technet blog post, which is linked to from the page you linked to. It looks like, whatever the actual vulnerability is, the main targets are likely to be decrypting the ViewState, or accessing application files that are normally impossible to access via the web, like web.config (which would be the main concern for me). However, according to that blog post the files are only at risk if you're on 3.5 SP1 or higher, which I'm not. As usual, Microsoft have provided far more details about what an attacker might get hold of than what they might attack (none of the links I've followed mention the resource files, which I assume are the .resx type files?).

But essentially, from the information available, even if my sites were subject to the attack it doesn't look like any useful information could be gleaned from them.

Anyway, if I'm right about this being a .resx attack then I don't use any of those either, so in that sense it wouldn't be a problem. On the other hand, I've been thinking about putting together a user-friendly custom error page anyway, so this is a perfect opportunity to persuade work to schedule me some time to deal with it And it doesn't change the fact that I'm grateful to you for bringing it to my attention

[yamangman]

My understanding is that all versions of the .NET framework are affected, and if you are using any standard ASP.NET functionality (e.g. postbacks) on your site, you will be vulnerable (the aspnet forms client library is embedded in the System.Web assembly as I recall and uses the web resource mechanism).