Microsoft ASP.NET Security Advisory - A core vulnerability in ASP.NET discovered - 2010/09/20 16:45

Last week two security ‘researchers’ (Thai Duong and Juliano Rizzo) publicly claimed they had found a core vulnerability in ASP.NET. They claimed they could develop an attack that would exploit this vulnerability.  Since then we have closely monitored as events unfolded.

On Friday evening (9/17/2010) the researchers demonstrated the attack on DotNetNuke at a conference in Buenos Aires, Argentina. Microsoft has kept the broad ASP.NET community fully informed in close to real-time on the interim fix while they work on a permanent solution.  The advisory from Microsoft is at:

http://www.microsoft.com/technet/security/advisory/2416728.mspx

There is also a well written blog by Scott Guthrie (Corporate Vice President at Microsoft Corp.) on this topic:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Please read above topic and implement the fix asap.  The fix advised by Scott Guthrie is very simple, create a new error.aspx page (copy and paste from above link, both version or vb.net and c# are provided) and enable custom error page in web.config as advised.

Regards,
PakHost Support Team

 RSS Feed