Difference between revisions of "ASP.NET POET Vulnerability"

From OWASP
Jump to: navigation, search
(Fixes (via web.config change))
(Not reccomended Fixes (via web.config change))
Line 7: Line 7:
 
=== Not reccomended Fixes (via web.config change)===
 
=== Not reccomended Fixes (via web.config change)===
 
* Important: ASP.NET Security Vulnerability  (ScottGu's blog) http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
 
* Important: ASP.NET Security Vulnerability  (ScottGu's blog) http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
* Why ScottGu's Workaround doesn't work ["T" exploit 200 vs 404 response status]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 
* Why ScottGu's Workaround doesn't work ["T" exploit attack]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 
 
* DotNetNuke ASP.NET Security Vulnerability Fix: http://www.subodh.com/Blog/PostID/116/DotNetNuke-ASP-NET-Security-Vulnerability-Fix
 
* DotNetNuke ASP.NET Security Vulnerability Fix: http://www.subodh.com/Blog/PostID/116/DotNetNuke-ASP-NET-Security-Vulnerability-Fix
 +
 +
Why we do not reccomend these workarounds
 +
* ["T" exploit 200 vs 404 response status]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 +
* ["T" exploit attack]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
  
 
===Blogs, News, Articles===
 
===Blogs, News, Articles===

Revision as of 15:05, 4 October 2010

Contents

This page contains details about the ASP.NET POET vulnerability disclosed on 2010-09-17. This vulnerability exists in all versions of ASP.NET (all versions released through 2010-09-18). As of 2010-09-20, there is no fix available to resolve the vulnerability; in the meantime, Microsoft strongly urges all ASP.NET deployments perform the recommended workaround to mitigate the vulnerability in the short-term.

Advisory

Not reccomended Fixes (via web.config change)

Why we do not reccomend these workarounds

Blogs, News, Articles

discussion Threads