发表于2004/10/14 15:38:00 740人阅读
What You Should Know About a Reported Vulnerability in Microsoft ASP.NET
Published: October 5, 2004 | Updated: October 7, 2004
Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET. Reports have indicated that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Our initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components.
Microsoft strongly advises, as a preventative measure, that all Web content owners and administrators who are running any version of ASP.NET immediately read and implement one of the suggestions made in the Microsoft Knowledge Base articles listed on this page.
Note This page was updated October 7, 2004, to include information about a newly released mitigation option, an HTTP module installer. This module protects all ASP.NET applications on a Web server against canonicalization problems that are currently known to Microsoft as of the publication date. We will continue to update this page as additional guidance and resources become available.
Guidance for Web Site Administrators
Microsoft has released an HTTP module that Web site administrators can apply to their Web server that will protect all ASP.NET applications on the server against URL canonicalization problems known to Microsoft as of the publication date. This module, as well as detailed guidance and deployment information, is available from the Microsoft Download Center.
For additional guidance on how to install and deploy this module to help protect your servers, see Microsoft Knowledge Base Article 887289, "HTTP Module to Check for Canonicalization Issues with ASP.NET"
Guidance for ASP.NET Developers
Note If you install the HTTP module, this guidance is not necessary.
Microsoft recommends that Web site owners and developers implement the suggestions made in Microsoft Knowledge Base Article 887459, Programmatically Check for Canonicalization Issues with ASP.NET to mitigate this issue. Applying the article's guidance to your ASP.NET application will protect the application against URL canonicalization problems known to Microsoft as of the publication date.
In addition to this guidance, which will help protect customers against this type of security issue, Microsoft is working to provide a security update to ASP.NET that will provide additional protection for customers. We will release the update once it has reached an appropriate level of quality for deployment.
If you believe you are affected by this potential issue, contact Microsoft Product Support Services for assistance.
- For no-charge security update and virus-related support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).
- For worldwide support, contact your local Microsoft office.
Develop a Security Strategy
Get the prescriptive technical guidance, tools, training, and updates you need to plan and manage a security strategy that is right for your organization.
再谈ASP.NET 7 - 跨应用、跨服务器的表单验证
lxrj2008 2012-04-16 18:56 394
ASP.NET MVC5+EF6+EasyUI 后台管理系统（33）-MVC 表单验证
ymnets 2017-11-29 08:39 16
解決 IE10 浏览器无法使用 ASP.NET 表单验证登录的问题
tzysf 2013-07-09 15:33 579
llftc 2011-11-18 17:14 3946
taomanman 2015-01-08 20:48 1834
king_idea8848 2012-06-18 16:37 300
再谈ASP.NET第七 - 跨应用、跨服务器的表单验证
machengdu1213 2015-10-01 01:08 254
king_idea8848 2012-06-18 16:29 501