So, Slashdot got a hold of the story about the ASP.NET vulnerability (the backslash bug), as usual they're loving it over there. What I haven't seen much of though is mention of the fact that many sites were never affected by this - reason? URLScan for IIS 5 and IIS 6 (which incorporates much of URLScan already) have always blocked this type of attack - remember, URLScan was released in 2001 and it blocks a host of malformed URL type attacks (there've been a bunch before).
The current Microsoft advice is to add some code to each ASP.NET application, fine - but if you have a properly configured URLScan or IIS 6.0 - you've never been at risk of this attack. Whilst I'm pretty disgusted that such a simple error got through testing (and let's face it this will probably cost a few companies developing with ASP.NET a bit of business) it does reinforce the fact that you should never rely on a piece of code you can't inspect personally for your application's security.
UPDATE: The piece below has some new info - including an HttpModule which can patch all your apps...
Today we posted updated information to http://www.microsoft.com/security/incident/aspnet.mspx with additional information about the nature of the reported vulnerability and an additional mitigation best practice. Our additional guidance is an HTTP Module that you can install onto a server that will mitigate all ASP.NET applications on the box and protect them against canonicalization issues we knew about at the time of publication. This is easier then updating the global.asax for each application and if you are dealing with a whole lot of servers much easier to deploy. You can grab the MSI installer for the HTTP Module at http://www.microsoft.com/downloads/details.aspx?FamilyId=DA77B852-DFA0-4631-AAF9-8BCC6C743026. There is also a new KB posted at http://support.microsoft.com/?kbid=887289 that describes how to deploy the MSI and HTTP Module.
We will continue to update the landing page as new information or guidance becomes available, so keep checking back.
posted on Thursday, October 07, 2004 5:34 PM