Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Sep 25, 2010 11:46 AM by Rovastar
Sep 24, 2010 11:29 PM|LINK
Scott Gu has made a new blog post that discusses an additional level of protection that can be achieved via the use of UrlScan.
Please be sure to read and implement this new recommendation.
Sep 25, 2010 11:46 AM|LINK
I would not say this is just an additional level of protection it is a fundemental flaw that can bypass your already existing error handling routine even if you only give a single page http 200 code back and gives you the yellow screen asp.net errors and
attacks you can then do the oracle padding attack.
I am not going to post more details of how to do this I have informed Microsoft and many large sites still have this live and open to attack.
Sometimes URLScan can be a pain to get just right.
As you can use the IIS request filtering in IIS7 instead.