ASP.NET vulnerability后续的一些信息
Reported ASP.NET vulnerability
7 October 2004
• Affects:
– All versions of ASP.NET running on all supported operating systems
• Does not affect:
– ASP, IIS
– Windows Sharepoint Services, CMS, Commerce Server, Exchange OMA, InfoPath Forms Server, Project Server, and MOM
• Reported Problem:
– An attacker may be able to send specially crafted URLs to a Web server running ASP.NET applications to bypass forms based authentication or Windows authorization configurations
– Exploit could potentially enable attacker to view secured content without providing the proper credentials
• What should developers and web site owners do?
– Microsoft strongly advises, as a preventative measure, that you immediately read and implement one of the suggestions at http://www.microsoft.com/security/incident/aspnet.mspx
– If you believe you have been affected please contact Microsoft Help and Support: http://support.microsoft.com/default.aspx?pr=securityitpro
• What are the next steps?
– Check out the Security forum at http://www.asp.net/forums/ for discussion
– Apply the update when it becomes available
• What additional steps is Microsoft taking?
– Microsoft is actively investigating this issue and will release further guidance at http://www.microsoft.com/security/incident/aspnet.mspx when it comes available
– We will release a security update for ASP.NET as soon as possible
从上面的(公司邮件)看到,绝大多数的MS产品来说,并不受到这个可能的漏洞攻击的影响
另外两天前有SQL Report Services 在安装了VPModel的Path后,发现一些问题
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Assembly microsoft.web.validatepathmodule.dll security permission grant set is incompatible between appdomains.
Source Error:
Line 324:
<add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule"/>
Line 325:
<add name="ErrorHandlerModule" type="System.Web.Mobile.ErrorHandlerModule, System.Web.Mobile, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
Line 326:
<add name="ValidatePathModule" type="Microsoft.Web.ValidatePathModule, Microsoft.Web.ValidatePathModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=eba19824f86fdadd"/></httpModules>
Line 327: <!--
Line 328: processModel Attributes:
Source File: c:\windows\microsoft.net\framework\v1.1.4322\Config\machine.config Line: 326
microsoft.public.dotnet.framework.aspnet 中有手工处理的步骤,今天MS 也发表了一篇新的KB专门的说明这个问题。
http://support.microsoft.com/kb/887787
这里提供的是两个默认的配置文件,所以你需要先备份然后再使用,那么最好的方式是按照讨论组中的描述手工的修改,比较方便,特别是你大幅的修改了rssrvpolicy.config 和rsmgrpolicy.config 文件
你对照Download的配置文件和你原来的,好像是需要删除下面这段配置
<CodeGroup class="UnionCodeGroup"
version="1"
PermissionSetName="FullTrust"
Name="ValidateModuleInGac"
Description="Validate Module from GAC">
<IMembershipCondition class="UrlMembershipCondition"
version="1"
Url="$Gac$/*"/>
</CodeGroup>
我并不是非常确认,你需要自己仔细对照一下J
当然有人担心另外自己使用的另外一个产品,也会受到同样影响—SPS 2003,从上面我们看到对于WSS这个漏洞攻击是不起作用的。
专家(Iyaz)的回复是这样的:
- If you haven’t used exclusions and haven’t created a non-WSS vserver, you’re fine. It’s safe to apply the ASP.net MSI; we recommend it, but it isn’t required.
- If you have created a non-WSS vserver, you should apply the MSI to protect those vservers. WSS won’t be impacted.
- If you have exclusions, you should apply the MSI to protect those vservers. You should make sure you have a web.config in the root of these and explicitly put in an <add name="ValidatePathModule" type="Microsoft.Web.ValidatePathModule, Microsoft.Web.ValidatePathModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=eba19824f86fdadd"/>
(per http://support.microsoft.com/?kbid=887289).
- If you did a findstr /s "clear" c:\web.config and added the above <add /> line right after any clear in a web.config, we don’t think you’ll break WSS by doing so.
希望这些信息对你有所帮助,在.NET评测网上上有更多一些信息,是关于ASP.NET vulnerability更多的一些细节信息,我想新闻组和网络中的更多的人通过讨论的方式来理解漏洞的本身和到底发生了什么,我觉得这是一种非常好的方式。一种非常自信和镇定从容的方式。
