VERY IMPORTANT: ASP.NET Security Vulnerability.

10 年 前
I think everybody should look at this :
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

This vulnerability was publically disclosed late Friday at a security conference.  We recommend that all customers immediately apply a workaround (described in post) to prevent attackers from using this vulnerability against your ASP.NET applications

This is serious I think and we need to apply the workaround as recommended
10 年 前
We were patch monkeys all Sunday.
For nop store here is what we can do:

In web.config

Turn it on:
From
<customErrors mode="Off" defaultRedirect="errorpage.htm">
      <error statusCode="403" redirect="bannedaddress.htm"/>
      <error statusCode="404" redirect="filenotfound.htm"/>
    </customErrors>


to
<customErrors mode="On" defaultRedirect="errorpage.htm" />

---------------------------------------------
OR FOR >NET 3.5 OR UP ( 1.8 and up)
--------------------------------------------
In nop store web.config
From
<customErrors mode="Off" defaultRedirect="errorpage.htm">
      <error statusCode="403" redirect="bannedaddress.htm"/>
      <error statusCode="404" redirect="filenotfound.htm"/>
    </customErrors>


to
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />


Add a page on the store root folder Error.aspx:



<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
        
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <h1>
        We're sorry, an internal error occurred that prevents the request to complete.</h1>
    <p>
        Our supporting staff has been notified with this error and will address this issue
        shortly. We profusely apologize for the <b>inconvenience</b> and for any damage
        this may cause. You might want to try the same action at later time.
    </p></body>
</html>


[ Based on Scott Gu's post ]
10 年 前
Just a small correction:

ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 needs the first workaround
ASP.NET 3.5 SP1 or ASP.NET 4.0 needs the second workaround

more info on http://info.dotnetnuke.com/rs/dotnetnuke/images/DotNetNuke_Security_Update_Regarding_ASPNET_Vulnerability_091810.pdf
10 年 前
Thanks for letting us know about this.  Here's a suggestion that might also help others. When I implemented this in nopCommerce  1.8  with the error.aspx page example from  Scott Guthrie's blog everything worked, except that the error page inherited the nopCommerce theme! This made the message hard to read. Setting  EnableTheming="false" in the @Page directive didn't work. To overcome this, I just disabled the theme by placing this snippet of code:


protected void Page_PreInit(object sender, EventArgs e)
    {
    this.Theme = string.Empty;
    }


in the script tag and then added some styles to the page to make it look okay.  Here's the entire page for ASP.NET 4.0 -- no need to compile or anything, just edit text in notepad or other text editor.

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
        
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
  
  protected void Page_PreInit(object sender, EventArgs e)
  {
  this.Theme = string.Empty;
  }
</script>

<html>
<head runat="server">
    <title>Error</title>
  
      <meta name="robots" content="noindex,nofollow" />
    <style type="text/css">
<!--
body{font:12px/1.8em Verdana,Arial,Helvetica,sans-serif;background:#FFFFFF;color:#336699;margin:40px}ul{margin-top:-12px;color:#000000}ol{margin-top:-12px;color:#000000;width:400px}p{width:500px;color:#000000;margin-top:-10px}a{color:#cc4d00;font-weight:bold}
-->
    </style>
</head>
<body>
<div>
Your customized error message here.
</div>
</body>
</html>
10 年 前
Very cool. Thanks for sharing.
10 年 前
Microsoft hasn't said when it plans to issue a permanent fix. Its next regular patch release is scheduled for October 12. ®
10 年 前
A patch is released:
10 年 前
USRFobiwan wrote:
A patch is released:


Thanks for the heads up.