I think everybody should look at this :
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described in post) to prevent attackers from using this vulnerability against your ASP.NET applications
This is serious I think and we need to apply the workaround as recommended
VERY IMPORTANT: ASP.NET Security Vulnerability.
- 18
- 90
- 5/31/2010
- United States
We were patch monkeys all Sunday.
For nop store here is what we can do:
In web.config
Turn it on:
From
<customErrors mode="Off" defaultRedirect="errorpage.htm">
<error statusCode="403" redirect="bannedaddress.htm"/>
<error statusCode="404" redirect="filenotfound.htm"/>
</customErrors>
to
<customErrors mode="On" defaultRedirect="errorpage.htm" />
---------------------------------------------
OR FOR >NET 3.5 OR UP ( 1.8 and up)
--------------------------------------------
In nop store web.config
From
<customErrors mode="Off" defaultRedirect="errorpage.htm">
<error statusCode="403" redirect="bannedaddress.htm"/>
<error statusCode="404" redirect="filenotfound.htm"/>
</customErrors>
to
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
Add a page on the store root folder Error.aspx:
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<h1>
We're sorry, an internal error occurred that prevents the request to complete.</h1>
<p>
Our supporting staff has been notified with this error and will address this issue
shortly. We profusely apologize for the <b>inconvenience</b> and for any damage
this may cause. You might want to try the same action at later time.
</p></body>
</html>
[ Based on Scott Gu's post ]
For nop store here is what we can do:
In web.config
Turn it on:
From
<customErrors mode="Off" defaultRedirect="errorpage.htm">
<error statusCode="403" redirect="bannedaddress.htm"/>
<error statusCode="404" redirect="filenotfound.htm"/>
</customErrors>
to
<customErrors mode="On" defaultRedirect="errorpage.htm" />
---------------------------------------------
OR FOR >NET 3.5 OR UP ( 1.8 and up)
--------------------------------------------
In nop store web.config
From
<customErrors mode="Off" defaultRedirect="errorpage.htm">
<error statusCode="403" redirect="bannedaddress.htm"/>
<error statusCode="404" redirect="filenotfound.htm"/>
</customErrors>
to
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
Add a page on the store root folder Error.aspx:
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<h1>
We're sorry, an internal error occurred that prevents the request to complete.</h1>
<p>
Our supporting staff has been notified with this error and will address this issue
shortly. We profusely apologize for the <b>inconvenience</b> and for any damage
this may cause. You might want to try the same action at later time.
</p></body>
</html>
[ Based on Scott Gu's post ]
- 250
- 3996
- 5/19/2010
- France
Just a small correction:
ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 needs the first workaround
ASP.NET 3.5 SP1 or ASP.NET 4.0 needs the second workaround
more info on http://info.dotnetnuke.com/rs/dotnetnuke/images/DotNetNuke_Security_Update_Regarding_ASPNET_Vulnerability_091810.pdf
ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 needs the first workaround
ASP.NET 3.5 SP1 or ASP.NET 4.0 needs the second workaround
more info on http://info.dotnetnuke.com/rs/dotnetnuke/images/DotNetNuke_Security_Update_Regarding_ASPNET_Vulnerability_091810.pdf
- 21
- 115
- 4/2/2010
- United States
Thanks for letting us know about this. Here's a suggestion that might also help others. When I implemented this in nopCommerce 1.8 with the error.aspx page example from Scott Guthrie's blog everything worked, except that the error page inherited the nopCommerce theme! This made the message hard to read. Setting EnableTheming="false" in the @Page directive didn't work. To overcome this, I just disabled the theme by placing this snippet of code:
in the script tag and then added some styles to the page to make it look okay. Here's the entire page for ASP.NET 4.0 -- no need to compile or anything, just edit text in notepad or other text editor.
protected void Page_PreInit(object sender, EventArgs e)
{
this.Theme = string.Empty;
}
in the script tag and then added some styles to the page to make it look okay. Here's the entire page for ASP.NET 4.0 -- no need to compile or anything, just edit text in notepad or other text editor.
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
protected void Page_PreInit(object sender, EventArgs e)
{
this.Theme = string.Empty;
}
</script>
<html>
<head runat="server">
<title>Error</title>
<meta name="robots" content="noindex,nofollow" />
<style type="text/css">
<!--
body{font:12px/1.8em Verdana,Arial,Helvetica,sans-serif;background:#FFFFFF;color:#336699;margin:40px}ul{margin-top:-12px;color:#000000}ol{margin-top:-12px;color:#000000;width:400px}p{width:500px;color:#000000;margin-top:-10px}a{color:#cc4d00;font-weight:bold}
-->
</style>
</head>
<body>
<div>
Your customized error message here.
</div>
</body>
</html>
