I would not say this is just an additional level of protection it is a fundemental flaw that can bypass your already existing error handling routine even if you only give a single page http 200 code back and gives you the yellow screen asp.net errors and
attacks you can then do the oracle padding attack.
I am not going to post more details of how to do this I have informed Microsoft and many large sites still have this live and open to attack.
Sometimes URLScan can be a pain to get just right.
As you can use the IIS request filtering in IIS7 instead.
mbanavige
All-Star
134944 Points
15413 Posts
ASPInsiders
Moderator
MVP
An additional protection step has been posted that utilizes UrlScan.
Sep 24, 2010 11:29 PM|LINK
Scott Gu has made a new blog post that discusses an additional level of protection that can be achieved via the use of UrlScan.
http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx
Please be sure to read and implement this new recommendation.
Rovastar
Member
182 Points
59 Posts
Re: An additional protection step has been posted that utilizes UrlScan.
Sep 25, 2010 11:46 AM|LINK
I would not say this is just an additional level of protection it is a fundemental flaw that can bypass your already existing error handling routine even if you only give a single page http 200 code back and gives you the yellow screen asp.net errors and attacks you can then do the oracle padding attack.
I am not going to post more details of how to do this I have informed Microsoft and many large sites still have this live and open to attack.
Sometimes URLScan can be a pain to get just right.
As you can use the IIS request filtering in IIS7 instead.