Re: ASP.Net vulnerability

BugTraqers,

There was lively discussion about the ASP.net vulnerability on the IIS
discussion lists at iislists.com yesterday. I've had conversations with IIS
support and the IIS team. The nut of it is that that all ASP.net
applications need to be modified per the instructions immediately.

Regardless of what you may read elsewhere, the update needs to be applied
regardless of the type of authentication used in the asp.net application.
The modifications Microsoft published are not a best practice or a
suggestion - but an essential security fix to put in place till an update to
asp.net is prepared. Disabling parent paths will not solve the problem and
I'm guessing that URLScan is not a complete solution either.

The only exception I know about is if you aren't using asp.net. In other
words, if you are only delivering static pages or classic asp, then you're
not at risk as the request has to be handled by the asp.net ISAPI. However
any website delivering ASP.net content needs to be updated ASAP.

Brett Hill
IIS MVP
IIStraining.com

--
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
--