Friday, October 8, 2004

Slashdot is reporting a flaw in ASP.NET that allows someone to bypass certain types of security to access pertions of a web that they do not have the right to. If you use forms based authentication with a sub folder and web.config file, like this:

http://localhost/secure/securepage.aspx

and the user type in:

http://localhost/securesecurepage.aspx

they will not be routed to the authentication page and will instead see the page.

Here are some links from the article:

Slashdot: Microsoft Issues Ominous ASP.Net Security Warning

NT-Bugtraq: discovered a serious flaw in .NET forms authentication

Microsoft KB-887459: Programmatically check for canonicalization issues with ASP.NET

No comments:

Post a Comment