Padding oracle and web.config RSS

• • Reply
  

  nikshukla

  Member

  291 Points

  61 Posts

  Padding oracle and web.config

  Sep 22, 2010 06:20 PM|LINK

  I read on Scott's post  that this attack allows to download web.config file.

  Can we block all the requests to web.config using ISAPI filter at IIS level?  Will it prevent web.config download?

  Thanks

   

  oracle padding

  Please click "Mark as answer" on post if it answered your question.
  
  N Shukla
  Architect/Technical Lead
• • Reply
  

  owjeff

  Member

  136 Points

  37 Posts

  Re: Padding oracle and web.config

  Sep 22, 2010 06:28 PM|LINK

  Are you running ASP.NET 3.5 SP1 or ASP.NET 4.0? 

  Jeff Graves
  
  OrcsWeb: Managed Windows Hosting Solutions
  "Remarkable Service. Remarkable Support."
• • Reply
  

  nikshukla

  Member

  291 Points

  61 Posts

  Re: Padding oracle and web.config

  Sep 22, 2010 06:36 PM|LINK

  Thank you for you reply Jeff.

  For the question I posted above, a version of asp.net will not matter.

  Let's assume that we do have a 3.5 SP1 installed. 

   

   

  Please click "Mark as answer" on post if it answered your question.
  
  N Shukla
  Architect/Technical Lead
• • Reply
  

  owjeff

  Member

  136 Points

  37 Posts

  Re: Padding oracle and web.config

  Sep 22, 2010 06:39 PM|LINK

  The version of ASP.NET does matter. While the web.config is a file that cannot be downloaded directly in versions of ASP.NET prior to 3.5 SP1, the web.config can be accessed EVEN if it is explicity blocked via IIS.

  Jeff Graves
  
  OrcsWeb: Managed Windows Hosting Solutions
  "Remarkable Service. Remarkable Support."
  • Marked as answer by Shengqing Yang - MSFT on Sep 28, 2010 05:55 AM