Last post Sep 19, 2010 07:57 AM by jim_harte
Sep 18, 2010 10:53 AM|jim_harte|LINK
If a site uses Windows Authentication (Basic or Integrated), as opposed to Forms Authentication, is it still vulnerable? Or does this only affect sites that use Forms Authentication?
Sep 18, 2010 11:14 AM|jim_harte|LINK
Also, in the demonstration against DNN here:
http://www.youtube.com/watch?v=yghiC_U2RaM, it looks like an attacker needs a "cipher text" to crack the encryption key. If a site does not expose any cipher text, is it still vulnerable? My understanding is requests for embedded resources, such as ajax
scripts, expose these in references to ScriptResources or WebResources in the page source...
Sep 18, 2010 11:37 AM|OWScott|LINK
Windows auth isn't affected, so you're good there, but if someone gets to the rest of your site, they may be able to access connection strings or passwords that will allow them to elevate their privledges and gain more access through each iteration, like
in the attached video.
It seems the case for me too that the cipher text is needed. That's readily available though.
Sep 19, 2010 07:57 AM|jim_harte|LINK
FYI, I posted the same question on Scott Guthrie's blog. Here's his response:
# re: Important: ASP.NET Security Vulnerability
Saturday, September 18, 2010 10:10 PM by ScottGu
>>>>>>>> If a site is using Windows authentication (Basic or Integrated), as opposed to Forms Authentication, is it still vulnerable?
Yes. The attack that was covered at a security conference yesterday did not use either Forms Authentication or ViewState as the attack vector.
Even if you use Windows Authentication you should apply the workaround. Once a patch to fix the vulnerability is available then the workaround will no longer be required.
Hope this helps,