[AusNOG] Huge ASP.net security flaw.
James Troy (PageUp/AU/VIC)
jamest at pageuppeople.com
Tue Sep 21 11:37:15 EST 2010
This is interesting, it brings back the old school "brute force" attack
where they feed the asp.net application different strings, note the
errors and in time, decipher the encryption key and therefore decipher
the entire cipher text.
The only work around atm is if you are using asp.net, turn on custom
errors point all your error pages at the same page something like "uh oh
something went wrong", that way they cannot get anything back from the
error messages.
Mircosoft is to release a patch but no timeline given, it will be
interesting to see if they do this one out-of-cycle or not.
http://www.computerworld.com.au/article/361513/microsoft_sounds_alert_ma
ssive_web_bug/?fp=39&fpid=25592&rid=1
James Troy
System / Network administrator
P: +613 8677 3735
F: +613 9923 6112
W: www.pageuppeople.com <http://www.pageuppeople.com>
Level 10, 91 William Street
Melbourne VIC 3000 Australia
Retain Recruit Perform Develop
Wondering why you are 'brain dead' at the end of the day? Check out the new PageUp People blog to find out. http://blog.pageuppeople.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100921/40e0977e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1695 bytes
Desc: image001.gif
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100921/40e0977e/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 1253 bytes
Desc: image002.gif
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100921/40e0977e/attachment-0001.gif>
More information about the AusNOG
mailing list