ASP.NET Security Flaw Workaround
September 19th, 2010 by Dario Solera | Filed under Security.There has been quite some noise around the recently disclosed security issue in ASP.NET. While the issue is real and potentially dangerous, a fix is not yet available as of this writing, but Scott Guthrie posted a rather clever workaround on his blog. Without delving into much detail, the problem is that ASP.NET or applications might leak details about the errors that occur (most specifically the exception and the stack trace). Using such data and a brute force attack, an attacker would be able to decrypt data contained in ASP.NET’s cookies and/or ViewState (most specifically identifying the encryption algorithm and key). That’s bad, because a number of exploits could be possible in such condition.
Just in case you are wondering, with the default configuration (pre-workaround), in absolutely no case ScrewTurn Wiki leaked information about any error occurred, so it already included some kind of mitigation about this specific issue. At any rate, we applied the workaround to ScrewTurn Wiki, so make sure to download and install version 3.0.4.560.
If you are using the Web Platform Installer, well you’ll have to wait until Microsoft approves the update (that usually takes a couple of weeks). Alternatively, you can update the application manually, very much like it’s a regular instance. If you need help, just ask help in our forum.
Update (2010/09/21): sorry, I forgot to mention that you should also update your web.config file, making sure that there is the customErrors section.
New Posts
[...] has released a fix for the ASP.NET vulnerability that we discussed last week. You should download and install the fix as soon as possible. Keep in mind that the fix will not be [...]
If you are using the Web Platform Installer, well you’ll have to wait until Microsoft approves the update (that usually takes a couple of weeks).
Hope would be for short time and will be recovered soon.