A Security Vulnerability in ASP.Net Allows Data Theft
Hackers have demonstrated a security vulnerability in Microsoft's ASP.Net at the argentinian conference Ekoparty. Juliano Rizzo and Thai Duong demonstrated how an error in ASP.Net can be exploited in order to read session cookies or other protected data. Furthermore, attackers can gain administrator rights to the affected web apps and thus read protected files like for example „web.config“.
All versions of ASP.Net on Windows XP Service Pack 3, Server 2003 to 2008 RS and Windows are affected, as are IIS and the Sharepoint Server. Further information regarding the security vulnerability can be found in the Microsoft Security Advisory 2416728, which also describes a workaround, aimed to temporarily fix the problem until Microsoft patches the vulnerability. In addition to this, Microsoft have created a forum specifically for for this issue. Even more information can be found in Microsoft-employee Scott Guthrie's blog. In a Technet blog you can find a tool that tests whether a site is affected by the vulnerability.