A Security Vulnerability in ASP.Net Allows Data Theft

By

Attackers can obtain administrator rights and read protected files.

 

Hackers have demonstrated a security vulnerability in Microsoft's ASP.Net at the argentinian conference Ekoparty. Juliano Rizzo and Thai Duong demonstrated how an error in ASP.Net can be exploited in order to read session cookies or other protected data. Furthermore, attackers can gain administrator rights to the affected web apps and thus read protected files like for example „web.config“.

 All versions of ASP.Net on Windows XP Service Pack 3, Server 2003 to 2008 RS and Windows are affected, as are IIS and the Sharepoint Server. Further information regarding the security vulnerability can be found in the Microsoft Security Advisory 2416728, which also describes a workaround, aimed to temporarily fix the problem until Microsoft patches the vulnerability. In addition to this, Microsoft have created a forum specifically for for this issue. Even more information can be found in Microsoft-employee Scott Guthrie's blog. In a Technet blog you can find a tool that tests whether a site is affected by the vulnerability.

09/23/2010

Comments

comments powered by Disqus

Special Edition

  • Happy SysAdmin Day!

    Download the free special edition “10 More Terrific Tools for the Busy Admin” courtesy of ADMIN  magazine.

Newsletter

Subscribe to ADMIN Update for IT news and technical tips.

ADMIN Magazine on Twitter

Follow us on twitter