For more information see: Microsoft
You are here: Home > Microsoft ASP Vulnerability Disclosed
Microsoft ASP Vulnerability Disclosed
A vulnerability was revealed in the ASP.Net application encryption configuarion which can allow an attacker to decrypt and tamper with sensitive data. The vulnerability involves an unpatched information disclosure hole in the ASP.NET Web application framework. Microsoft has released a security advisory to confirm the vulnerability.
How it Works:
If the target ASP.NET application stores sensitive information (like database connection strings or passwords) in the ViewState object; this data could be compromised.
If the ASP .Net application is running ASP.Net 3.5 SP1 or above, the attacker could use the encryption vulnerability to get the contents of a file within the ASP.Net application. The disclosure demonstrated that by using this vulnerabilty technique to retrieve the contents of web.config, any file within the ASP.Net application can be compromised. If the worker process has access those elements it will return the information back to the attacker.
Microsoft said it was unaware of attacks that try to use the vulnerabilities or of customer impact at this time. However, Microsoft indicates that a tool is now available to automatically find and exploit this vulnerability.
From that perspective we can conclude that the threat is real.
What happens when the vulnerability is exploited? Well, according to researchers an attacker can easily view states, decrypt cookies, membership password, form authentication tickets, user data, plus anything else that is encrypted using the ASP.NET framework’s API. In otherwords, having the API can open the system to many other problems.
The vulnerabilities exploited affect the framework used by about 25 percent of Web sites on the Web. The total impact of the attack will depend on the applications installed on the server. These include a minor information disclosure issues to a total system compromise. For its part, Microsoft has posted workarounds and suggested mitigations in its security advisory.
Subscribe & Connect
Leave a Comment847 Comments left so far
Subscribe & Connect
- What is Buffering and How to Prevent it
- Google’s Nexus 7 Poised to Tackle Tablet Wars
- The Samsung Galaxy Beam Smartphone Is on Its Way to the UK
- How The Web Is Changing Research
- Is Online Backup Secure?
- Using A Public Hotspot? You Really Should Use A VPN
- SEO TIP: Use Separate IP Addresses If You Interlink Your Sites
3G adsense Advertising Android Apple Blogging Blogging Tips Connected Internet Digg facebook Firefox Forum Friday Fun Google Internet iPhone iPod iTunes making money online Microsoft Mobile Mobile News MP3 Nokia Playstation Playstation 3 plugins Problogging Projects RSS Security SEO Smartphones Tools & Tips UK video Vista WiFi Windows Wireless Content Wordpress Xbox Xbox 360 Yahoo! YouTube