Last post Sep 18, 2010 11:09 AM by perb
Sep 18, 2010 10:41 AM|StephenLacy|LINK
I've found this article to be the most useful for technical information on the vulnerability
However as an admin/developer of several asp.net sites I really need more information. I can understand that it's important to keep people in the dark until a patch is released, that makes sense, however as someone who is also in the dark it makes it slightly
difficult for me as an admin to decide what is really the best course of action.
Allow me to elaborate.
First, if a user bookmarks a page on one of the sites I develop and then the access is removed, I want them to see a friendly error page saying they have not got access to this page.
However if they manage to break the application in some way I want a similarly friendly error page saying that "our developers are working on the problem..."
Obviously this bug isn't going to last forever and this issue hardly trumps getting hacked but it's important none the less.
Another concern of mine is that I was under the impression that custom errors didn't mask the error numbers that seems to be what the hackers need to break into the site. If they do mask the errors then this is a problem as search engines use those error
numbers to determine if a page should be removed from their index. I assume that if Scott Guthrie claims it solves the problem that he knows what he is talking about but it's still worrying me.
Another concern is that they are able to decrypt the viewstate, I would like to know how this can be avoided. I don't store any sensitive information like connection strings in the viewstate that isn't being displayed to the user however the Cross Site Request
Forgery token is in there, I use ViewStateKey = Session.SessionID or something to that effect and I want to know that they can't get the session Id by decrypting the viewstate.
Finally I have read from both the article above and Scott Guthrie's blog that a hacker could get the web.config file from the asp.net application using the encryption oracles, how is this achieved? That simply does not make any sense. Could it only happen
in a very specific case or is this the kind of thing that affects all asp.net websites that don't have a single error page with no error numbers?
Thanks in advance for any helpful replies
Sep 18, 2010 11:09 AM|perb|LINK
There are a lot of bits and pieces of info in the twitter feeds from these two that found the flaw, especially the youtube video is disturbing..