Last post Dec 30, 2011 05:05 PM by naziml
Dec 29, 2011 02:46 PM|HelloThar|LINK
From the bulletin:
"Sites that disallow application/x-www-form-urlencoded or multipart/form-data HTTP content types are not vulnerable"
What does this mean, and how can I determine if my sites fall into this category?
Dec 29, 2011 06:08 PM|mbanavige|LINK
A very good place to watch for news on this topic is Scott Gu's blog here:
I see a question posted as a comment to his blog that looks like what you're asking - so you've probably already found that blog.
Note that multipart/form-data is used when your site accepts file uploads. So if you are accepting file uploads to your site, then we should assume that you have not disallowed that content type. Keep in mind though that if your site does not offer
file upload functionality, it does not mean that the content types noted above have actually been
disallowed. Disallowing those content types would need to be a specific action you would have taken when setting up the site and it appears that disallowing those content types is something that could be
done with your firewall.
Dec 29, 2011 06:21 PM|HelloThar|LINK
Thanks for the insightful answer. Does application/x-www-form-urlencoded also apply to file uploads?
Dec 29, 2011 06:29 PM|mbanavige|LINK
The content type application/x-www-form-urlencoded is used when doing a standard POST. So is sometihng that i'd suspect all sites would support unless you've gone out of your way to limit your site to simple GET requests.
Ultimately, as soon as the Security update is released, I think you would want to look at getting it applied asap.
this little exerp from the security advisory probably says it most succinctly:
How do I know if my service is vulnerable?
Any version of ASP.NET is vulnerable if form submission is enabled using the HTTP POST method, which is the default configuration. Specially crafted HTTP GET requests do not cause the issue. .NET functionality other than ASP.NET, including client-side functionality,
is not affected.
Dec 30, 2011 05:05 PM|naziml|LINK
@HelloThar Not typically. That is usually for form POSTs.