How to Mitigate an ASP.NET Vulnerability

The vulnerability is described on Microsoft's security site, in response to an earlier post on NTBugTraq. The security site will be the "home page" for the vulnerability and will be updated as more information becomes available. Note that source code is not at risk. I will post more information about what scenarios do pose a risk once I'm confident the issue is fully understood. For now, protect your site.

Brian Goldfarb is coordinating the response, his weblog provides a bit more information.

Sample code to reduce the attack surface is pasted below from a related KB article.

Global.asax code sample (Visual Basic .NET)

<script language="vb" runat="server"> 
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub

Global.asax code sample ( C#)

<script language="C#" runat="server"> 
void Application_BeginRequest(object source, EventArgs e)
if (Request.Path.IndexOf('\\') >= 0 || System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath)
throw new HttpException(404, "not found");

No Comments