Difference between revisions of "ASP.NET POET Vulnerability"

From OWASP
Jump to: navigation, search
(Not reccomended Fixes (via web.config change))
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
__TOC__  
 
__TOC__  
This page contains details about the recently disclosed ASP.NET POET Vulnerability:
+
This page contains details about the ASP.NET POET vulnerability disclosed on 2010-09-17. This vulnerability exists in all versions of ASP.NET (all  versions released through 2010-09-18).  As of 2010-09-20, there is no fix available to resolve the vulnerability; in the meantime, Microsoft strongly urges all ASP.NET deployments [http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx| perform the recommended workaround] to mitigate the vulnerability in the short-term.
  
 
===Advisory===
 
===Advisory===
 
* Microsoft Security Advisory (2416728) : http://www.microsoft.com/technet/security/advisory/2416728.mspx
 
* Microsoft Security Advisory (2416728) : http://www.microsoft.com/technet/security/advisory/2416728.mspx
  
=== Fixes (via web.config change)===
+
=== Recommended Fixes ===
 +
*Microsoft Official Fix: http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx
 +
 
 +
=== Not recommended Fixes (via web.config change)===
 
* Important: ASP.NET Security Vulnerability  (ScottGu's blog) http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
 
* Important: ASP.NET Security Vulnerability  (ScottGu's blog) http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
 
* DotNetNuke ASP.NET Security Vulnerability Fix: http://www.subodh.com/Blog/PostID/116/DotNetNuke-ASP-NET-Security-Vulnerability-Fix
 
* DotNetNuke ASP.NET Security Vulnerability Fix: http://www.subodh.com/Blog/PostID/116/DotNetNuke-ASP-NET-Security-Vulnerability-Fix
 +
 +
Why we do not recommend these workarounds
 +
* ["T" exploit 200 vs 404 response status]: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
 +
* ["T" exploit attack]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
  
 
===Blogs, News, Articles===
 
===Blogs, News, Articles===
Line 17: Line 24:
 
* Argentina joins Axis of Evil with zero day ASP.NET exploit http://www.techeye.net/security/argentina-joins-axis-of-evil-with-zero-day-asp-net-exploit
 
* Argentina joins Axis of Evil with zero day ASP.NET exploit http://www.techeye.net/security/argentina-joins-axis-of-evil-with-zero-day-asp-net-exploit
 
* Padding Oracle Exploit Tool http://netifera.com/research/
 
* Padding Oracle Exploit Tool http://netifera.com/research/
* Google Search: http://www.google.co.uk/search?q=ASp.NET+vulnerability
+
* Video demonstration of using POET tool to attack vulnerable ASP.NET deployment http://www.youtube.com/watch?v=yghiC_U2RaM
 +
* Google Search: http://www.google.co.uk/search?q=ASP.NET+vulnerability
 +
 
 +
=== File Access Exploits ===
 +
* Webconfig_Bruter (first public exploit for file downloading): http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 +
* Padbuster v0.3 can now download Web.config and much more: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
  
 
=== discussion Threads===
 
=== discussion Threads===

Latest revision as of 15:08, 4 October 2010

Contents

This page contains details about the ASP.NET POET vulnerability disclosed on 2010-09-17. This vulnerability exists in all versions of ASP.NET (all versions released through 2010-09-18). As of 2010-09-20, there is no fix available to resolve the vulnerability; in the meantime, Microsoft strongly urges all ASP.NET deployments perform the recommended workaround to mitigate the vulnerability in the short-term.

Advisory

Recommended Fixes

Not recommended Fixes (via web.config change)

Why we do not recommend these workarounds

Blogs, News, Articles

File Access Exploits

discussion Threads