Difference between revisions of "Microsoft Security Bulletin July 2006-Vulnerabilities in IIS and ASP.Net"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to www.textraccaldron.com)
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
Published on 11th July 2006
 
Published on 11th July 2006
 
      
 
      
* Microsoft Security Bulletin MS06-034 - Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)
+
* [http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx Microsoft Security Bulletin MS06-034] - Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)
* Microsoft Security Bulletin MS06-033 - Vulnerability in ASP.NET Could Allow Information Disclosure (917283)
+
* [http://www.microsoft.com/technet/security/Bulletin/MS06-033.mspx Microsoft Security Bulletin MS06-033] - Vulnerability in ASP.NET Could Allow Information Disclosure (917283)
  
 
I am a bit confused why MS06-034 is marked with 'Remote Code Execution' since if we follow the same logic, then MS should also release an advisory called "Asp.Net allows Remote Code Execution"
 
I am a bit confused why MS06-034 is marked with 'Remote Code Execution' since if we follow the same logic, then MS should also release an advisory called "Asp.Net allows Remote Code Execution"
 +
 +
 +
== Research questions ==
 +
 +
* where are the vulnerabilities (any volunteers to reverse engineer the patches?)
 +
** [http://www.microsoft.com/technet/security/Bulletin/MS06-034.mspx MS06-034] should be on asp.dll
 +
** [http://www.microsoft.com/technet/security/Bulletin/MS06-033.mspx MS06-033] should be on the config files?
 +
* can the other dislosed vulnerabilites be expoited from an ASP.NET environment, namely
 +
** [http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx Vulnerability in Server Service Could Allow Remote Code Execution (917159)]
 +
** [http://www.microsoft.com/technet/security/Bulletin/MS06-036.mspx Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)]
  
 
Dinis Cruz
 
Dinis Cruz
  
 
[[Category:OWASP .NET Project]]
 
[[Category:OWASP .NET Project]]

Revision as of 13:28, 27 May 2009

Published on 11th July 2006

I am a bit confused why MS06-034 is marked with 'Remote Code Execution' since if we follow the same logic, then MS should also release an advisory called "Asp.Net allows Remote Code Execution"


Research questions

Dinis Cruz