Microsoft Probes Flaw in ASP.NET

Microsoft Corp. is investigating a reported security flaw in its ASP.NET technology that could allow intruders to access password-protected sections of a Web site simply by altering a URL.

The hole involves a glitch in ASP.NET’s processing of URLs, a process known as canonicalization. According to an advisory posted Tuesday on Microsoft’s Web site, “an attacker can send specially crafted requests to the server and view secured content without providing the proper credentials.”

ASP.NET, the latest iteration of Microsoft’s ASP (Active Server Pages) technology, is a Web development platform for building Web-centric applications.

Microsoft has yet to post a fix for the problem, but in its advisory, the company offered guidelines to help users temporarily secure their sites against intrusion attempts until a permanent patch is delivered.

“It has been reported that a malicious user could provide a specially formed URL that could result in the unsecured serving of unintended content,” a Microsoft spokeswoman said. “It’s under investigation, and we’re working on finding an appropriate solution.”

The company has yet to determine what the permanent fix will be or when it will be posted, she said.

According to Microsoft, the problem exists in ASP.NET running on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional and Windows Server 2003, but it does not affect ASP. That means the problem affects a lot of users. A story on Netcraft.com reports that ASP.NET is now running on more than 2.9 million active sites.

The reported security hole allows visitors to a password-protected ASP.NET site to put a forward-slash, a space or “%5c” in the place of the backslash in the site’s URL and bypass the password login screen, as well as bypass protections on administrative areas of the site.

Microsoft is asking ASP.NET users to add an event handler to force real path validation for all Web server requests—an approach that will keep intruders from gaining access to sensitive data but could result in a performance or security tradeoff of its own, said Arian Evans, senior security engineer at Kansas City, Mo.-based FishNet Security.

“[The fix] will impact performance because every single request that’s made to the Web server will have to be validated before it’s either authenticated or rejected,” Evans said. “That’s a lot of requests to be processed.”

Evans pointed out that Microsoft is no stranger to security problems related to password or directory traversal. In December, the company discovered a bug in Internet Explorer that let crackers rip off Web pages more easily.

The vulnerability has generated lively discussion on Slashdot. While many are lamenting that it’s yet another Microsoft security breach, one poster noted that the vulnerability is fairly easy to remedy:

“While I think the flaw itself is a concern, the ‘rewrite their applications’ quote is pure drivel. All that’s required is a couple of lines in Global.asax. That’s hardly a rewrite,” said a poster identified as Timesprout.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

http://isc.sans.org/diary.php?date=2004-10-06
http://www.k-otik.com/news/10052004.ASPNETFlaw.php
http://blogs.devleap.com/rob/archive/2004/10/02/1803.aspx
http://www.heise.de/security/news/meldung/51730