Microsoft Probes Flaw in ASP.NET

Updated: A glitch in the platform's processing of URLs could allow intruders to access password-protected sections of a Web site simply by altering a URL.

Microsoft Corp. is investigating a reported security flaw in its ASP.NET technology that could allow intruders to access password-protected sections of a Web site simply by altering a URL.

The hole involves a glitch in ASP.NETs processing of URLs, a process known as canonicalization. According to an advisory posted Tuesday on Microsofts Web site, "an attacker can send specially crafted requests to the server and view secured content without providing the proper credentials."

ASP.NET, the latest iteration of Microsofts ASP (Active Server Pages) technology, is a Web development platform for building Web-centric applications.

Late Thursday, Microsoft posted to its Web site a downloadable fix for the problem. The fix consists of an ASP.Net HTTP module that "will protect all ASP.NET applications against all potential canonicalization problems known to Microsoft," according to the company.

In its advisory, posted earlier in the week, the company also offered guidelines to help users temporarily secure their sites against intrusion attempts until a permanent patch is delivered.

"It has been reported that a malicious user could provide a specially formed URL that could result in the unsecured serving of unintended content," a Microsoft spokeswoman said. "Its under investigation, and were working on finding an appropriate solution."

The company has yet to determine what the permanent fix will be or when it will be posted, she said.

According to Microsoft, the problem exists in ASP.NET running on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional and Windows Server 2003, but it does not affect ASP. That means the problem affects a lot of users. A story on reports that ASP.NET is now running on more than 2.9 million active sites.

The reported security hole allows visitors to a password-protected ASP.NET site to put a forward-slash, a space or "%5c" in the place of the backslash in the sites URL and bypass the password login screen, as well as bypass protections on administrative areas of the site.

Microsoft is asking ASP.NET users to add an event handler to force real path validation for all Web server requests—an approach that will keep intruders from gaining access to sensitive data but could result in a performance or security tradeoff of its own, said Arian Evans, senior security engineer at Kansas City, Mo.-based FishNet Security.

"[The fix] will impact performance because every single request thats made to the Web server will have to be validated before its either authenticated or rejected," Evans said. "Thats a lot of requests to be processed."

Evans pointed out that Microsoft is no stranger to security problems related to password or directory traversal. In December, the company discovered a bug in Internet Explorer that let crackers rip off Web pages more easily.

The vulnerability has generated lively discussion on Slashdot. While many are lamenting that its yet another Microsoft security breach, one poster noted that the vulnerability is fairly easy to remedy:

"While I think the flaw itself is a concern, the rewrite their applications quote is pure drivel. All thats required is a couple of lines in Global.asax. Thats hardly a rewrite," said a poster identified as Timesprout.

Editors Note: This story was updated to add information about the fix for the ASP.NET vulnerability.


Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Be sure to add our Security news feed to your RSS newsreader or My Yahoo page