Last week two security ‘researchers’ (Thai Duong and Juliano Rizzo) publicly claimed they had found a core vulnerability in ASP.NET. They claimed they could develop an attack that would exploit this vulnerability. Since then we have closely monitored as events unfolded.
On Friday evening (9/17/2010) the researchers demonstrated the attack on DotNetNuke at a conference in Buenos Aires, Argentina. Microsoft has kept the broad ASP.NET community fully informed in close to real-time on the interim fix while they work on a permanent solution. The advisory from Microsoft is at:
http://www.microsoft.com/technet/security/advisory/2416728.mspx
There is also a well written blog by Scott Guthrie (Corporate Vice President at Microsoft Corp.) on this topic:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Please read above topic and implement the fix asap. The fix advised by Scott Guthrie is very simple, create a new error.aspx page (copy and paste from above link, both version or vb.net and c# are provided) and enable custom error page in web.config as advised.
Regards,
PakHost Support Team
Monday, September 20, 2010
