Difference between revisions of "ASP.NET POET Vulnerability"

From OWASP
Jump to: navigation, search
(Added introductory sentences as a first step towards Dinis' recommended "good/objective description of the problem, good technical desciption of the problem and tons of references")
(Blogs, News, Articles)
Line 19: Line 19:
 
* Video demonstration of using POET tool to attack vulnerable ASP.NET deployment http://www.youtube.com/watch?v=yghiC_U2RaM
 
* Video demonstration of using POET tool to attack vulnerable ASP.NET deployment http://www.youtube.com/watch?v=yghiC_U2RaM
 
* Google Search: http://www.google.co.uk/search?q=ASP.NET+vulnerability
 
* Google Search: http://www.google.co.uk/search?q=ASP.NET+vulnerability
 +
* Webconfig_Bruter (first publick exploit for file downloading): http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 +
* Padbuster v0.3 can now download Web.config and much more: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
  
 
=== discussion Threads===
 
=== discussion Threads===

Revision as of 15:02, 4 October 2010

Contents

This page contains details about the ASP.NET POET vulnerability disclosed on 2010-09-17. This vulnerability exists in all versions of ASP.NET (all versions released through 2010-09-18). As of 2010-09-20, there is no fix available to resolve the vulnerability; in the meantime, Microsoft strongly urges all ASP.NET deployments perform the recommended workaround to mitigate the vulnerability in the short-term.

Advisory

Fixes (via web.config change)

Blogs, News, Articles

discussion Threads