After attempting to apply the workaround, my ASP.NET resources (.aspx and .html as I have set up ASP.NET to protect .html pages with forms authentication) are protected so that all errors redirect to the same page.
However, if I try to access a resource type not handled by ASP.NET e.g. mysite/orange.jpg, where such a file does not exist, I get an inbuilt 404 error. mysite/page.aspx or mysite/file.html shows the custom error as intended. Am I still vulnerable?
If you've implemented the fix for ASP.NET, you should be covered. The issues stems from the error messages normally returned by ASP.NET allowing it to guess the MachineKey. The standard IIS error codes for static content do not come into play with this exploit
AFAIK.
s3034sd
0 Points
1 Post
Are resources not handled by ASP.NET affected?
Sep 20, 2010 12:44 PM|LINK
After attempting to apply the workaround, my ASP.NET resources (.aspx and .html as I have set up ASP.NET to protect .html pages with forms authentication) are protected so that all errors redirect to the same page.
However, if I try to access a resource type not handled by ASP.NET e.g. mysite/orange.jpg, where such a file does not exist, I get an inbuilt 404 error. mysite/page.aspx or mysite/file.html shows the custom error as intended. Am I still vulnerable?
owjeff
Member
136 Points
37 Posts
Re: Are resources not handled by ASP.NET affected?
Sep 20, 2010 05:16 PM|LINK
If you've implemented the fix for ASP.NET, you should be covered. The issues stems from the error messages normally returned by ASP.NET allowing it to guess the MachineKey. The standard IIS error codes for static content do not come into play with this exploit AFAIK.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."