Wednesday, October 13, 2004

HTTP module to check for canonicalization issues with ASP.NET

Few days ago a Security vulnerability in ASP.NET was discovered. Canonicalization issue as it is known, is that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components. Read more on this issue at What You Should Know About a Reported Vulnerability in Microsoft ASP.NET.

Microsoft has now released a HTTP module that implements Best Practices for Canonicalization to check the vulnerability. More details on the HTTP module here...

Directly download the MSI package here...

It is recommended that all ASP.NET users invariable of the platform or ASP.NET version, apply this Validation Path module.

No comments: