Yesterday a vulnerability was disclosed at a security conference that enables an attacker to gain the Machine Key of an ASP.NET website. This key is used by the server to encrypt cookies, form data and other values sent to the client. With this key the attacker can exploit an ASP.NET site to gain admin access and possibly download files from the server such as web.config (that often contains other sensitive data like database connection strings).
What you need to do now
Go read up on the vulnerability at:
http://www.microsoft.com/technet/security/advisory/2416728.mspx
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Then make a simple change to your web.config file and add a custom error page that will prevent the attack from working (the attack in simple terms is done by sending bad requests to the target site, and watching the error codes and time to return those error codes for clues in figuring out the Machine Key).
The exploit is already making it’s way though the internet. Microsoft is working on a patch that will be released shortly, but until then these are the only steps to protect your website. It’s unfortunate, but the two who found the vulnerability refused to work with Microsoft and instead choose to reveal the details of the exploit at a conference and then toss thumb drives into the crowd containing code to exploit sites.
Posted By Mike On Saturday, September 18, 2010
Filed under asp.net |
No Comments
