ASP.NET中发现了一个可能导致信息泄漏的漏洞,影响了所有版本的ASP.NET,请注意做好保护措施。详细请参考http://www.microsoft.com/technet/security/advisory/2416728.mspx。
该漏洞目前已有更新补丁,请通过http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx下载更新或使用Windows Update更新。
以下信息是未发布补丁前的临时做法
对于.NET Framework 3.5或之前版本
1. 启用ASP.NET custom errors,并将所有错误代码指向同一个错误页面。
2. (A)如果该ASP.NET应用程序没有web.config文件,则在根目录新建一个,并写入下面的内容
1 <configuration>
2 <location allowOverride="false">
3 <system.web>
4 <customErrors mode="On" defaultRedirect="~/error.html" />
5 </system.web>
6 </location>
7 </configuration>
2 <location allowOverride="false">
3 <system.web>
4 <customErrors mode="On" defaultRedirect="~/error.html" />
5 </system.web>
6 </location>
7 </configuration>
(B)如果已经存在web.config文件,则插入下面内容
1 <system.web>
2 <customErrors mode="On" defaultRedirect="~/error.html" />
3 </system.web>
2 <customErrors mode="On" defaultRedirect="~/error.html" />
3 </system.web>
3. 创建一个名为error.html的文件,它可以包含静态的错误提示信息,但不能包含动态内容。
对于.NET 3.5 Framework SP1或之后版本
1. 启用ASP.NET custom errors,并将所有错误代码指向同一个错误页面。
2. (A)如果该ASP.NET应用程序没有web.config文件,则在根目录新建一个,并写入下面的内容
代码
1 <configuration>
2 <location allowOverride="false">
3 <system.web>
4 <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
5 </system.web>
6 </location>
7 </configuration>
2 <location allowOverride="false">
3 <system.web>
4 <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
5 </system.web>
6 </location>
7 </configuration>
(B) 如果已经存在web.config文件,则插入下面内容
1 <system.web>
2 <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
3 </system.web>
2 <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
3 </system.web>
3. 创建ErrorPage.aspx文件,并写入以下内容
C#
代码
1 <%@ Page Language="C#" AutoEventWireup="true" %>
2 <%@ Import Namespace="System.Security.Cryptography" %>
3 <%@ Import Namespace="System.Threading" %>
4
5 <script runat="server">
6 void Page_Load() {
7 byte[] delay = new byte[1];
8 RandomNumberGenerator prng = new RNGCryptoServiceProvider();
9
10 prng.GetBytes(delay);
11 Thread.Sleep((int)delay[0]);
12
13 IDisposable disposable = prng as IDisposable;
14 if (disposable != null) { disposable.Dispose(); }
15 }
16 </script>
17
18 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
19
20 <html xmlns="http://www.w3.org/1999/xhtml">
21 <head runat="server">
22 <title></title>
23 </head>
24 <body>
25 <div>
26 An error occurred while processing your request.
27 </div>
28 </body>
29 </html>
2 <%@ Import Namespace="System.Security.Cryptography" %>
3 <%@ Import Namespace="System.Threading" %>
4
5 <script runat="server">
6 void Page_Load() {
7 byte[] delay = new byte[1];
8 RandomNumberGenerator prng = new RNGCryptoServiceProvider();
9
10 prng.GetBytes(delay);
11 Thread.Sleep((int)delay[0]);
12
13 IDisposable disposable = prng as IDisposable;
14 if (disposable != null) { disposable.Dispose(); }
15 }
16 </script>
17
18 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
19
20 <html xmlns="http://www.w3.org/1999/xhtml">
21 <head runat="server">
22 <title></title>
23 </head>
24 <body>
25 <div>
26 An error occurred while processing your request.
27 </div>
28 </body>
29 </html>
VB:
代码
1 <%@ Page Language="VB" AutoEventWireup="true" %>
2 <%@ Import Namespace="System.Security.Cryptography" %>
3 <%@ Import Namespace="System.Threading" %>
4
5 <script runat="server">
6 Sub Page_Load()
7 Dim delay As Byte() = New Byte(0) {}
8 Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
9
10 prng.GetBytes(delay)
11 Thread.Sleep(CType(delay(0), Integer))
12
13 Dim disposable As IDisposable = TryCast(prng, IDisposable)
14 If Not disposable Is Nothing Then
15 disposable.Dispose()
16 End If
17 End Sub
18 </script>
19
20 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
21
22 <html xmlns="http://www.w3.org/1999/xhtml">
23 <head runat="server">
24 <title></title>
25 </head>
26 <body>
27 <div>
28 An error occurred while processing your request.
29 </div>
30 </body>
31 </html>
2 <%@ Import Namespace="System.Security.Cryptography" %>
3 <%@ Import Namespace="System.Threading" %>
4
5 <script runat="server">
6 Sub Page_Load()
7 Dim delay As Byte() = New Byte(0) {}
8 Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
9
10 prng.GetBytes(delay)
11 Thread.Sleep(CType(delay(0), Integer))
12
13 Dim disposable As IDisposable = TryCast(prng, IDisposable)
14 If Not disposable Is Nothing Then
15 disposable.Dispose()
16 End If
17 End Sub
18 </script>
19
20 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
21
22 <html xmlns="http://www.w3.org/1999/xhtml">
23 <head runat="server">
24 <title></title>
25 </head>
26 <body>
27 <div>
28 An error occurred while processing your request.
29 </div>
30 </body>
31 </html>
