|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#283646
Microsoft ASP.NET fails to perform proper canonicalization
OverviewMicrosoft ASP.NET contains a canonicalization vulnerability that may allow a remote unauthenticated attacker to gain access to secure contents.
I. DescriptionMicrosoft ASP.NET is a programming framework for creating web applications. The canonicalization routine used by ASP.NET fails to correctly parse URLs.II. ImpactDepending on the contents of the web site, an attacker may take a variety of actions. For example, a remote unauthenticated attacker may be able to access secure web site contents by using a specially crafted URL. III. SolutionInstall an update
Install an update, as specified by MS05-004.
Workarounds
Microsoft includes the following workarounds in MS05-004:
- Install an HTTP module to check for canonicalization issues as described in Microsoft Knowledge Base article 87289.
- Test for canonicalization issues with ASP.NET as described in Microsoft Knowledge Base article 887459.
- Install and use URLScan.
Systems Affected
References
http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx
http://www.microsoft.com/protect/computer/updates/bulletins/200710.mspx
http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
http://support.microsoft.com/kb/887289
http://support.microsoft.com/kb/887459
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0221.html
http://xforce.iss.net/xforce/xfdb/17644
http://www.securityfocus.com/bid/11342
http://secunia.com/advisories/12749/
http://securitytracker.com/alerts/2004/Oct/1011559.html
http://securitytracker.com/alerts/2005/Feb/1013109.html
Credit
This vulnerability was publicly disclosed by Toby Beaumont.
This document was written by Will Dormann.
Other Information
| Date Public: | 2004-10-05 |
| Date First Published: | 2005-02-08 |
| Date Last Updated: | 2007-10-16 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2004-0847 |
| NVD-ID(s): | CVE-2004-0847 |
| US-CERT Technical Alerts: | |
| Metric: | 37.97 |
| Document Revision: | 13 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|