Last post Sep 22, 2010 09:47 AM by owjeff
Sep 20, 2010 03:50 PM|coreycoogan|LINK
I've been reading about this vulnerability for the last hour and don't understand why a custom 404 can't be used? A 404 error page seems to tell the attacker no additional information than my other catch all error page. If they are looking patterns in
variance between response times, my 404 should be consistent, right? I'm not sure how the 404 is a threat in this case?
While I'm at it, anyone understand how the attacker could gain access to a web.config? I realize that they may be able to forge a token or cookie, but not clear on how they gain access to the file system?
EDIT: I did find out how the web.config, or any other application file, can be accessed here:
Sep 20, 2010 04:23 PM|Mikesdotnetting|LINK
But your 404 and a 500 status codes are different, as would be the response time if you followed only part of the advice and didn't put the random sleep in. The "patch" serves only to make it significantly more difficult for an attacker to determine how
successful they have been by examining http status codes or response times. Troy Hunt's rather good article explains that well.
Sep 20, 2010 05:03 PM|mbanavige|LINK
A 404 error page seems to tell the attacker no additional information than my other catch all error page.
A 404 tells the attacker that what they just did was not a 500...
The exploit makes use of 404 vs 500 as part of the attack. Short of taking apart the attack an examining in detail how it makes use of that seemingly minor difference, I would take the recommendations from MSFT at face value on this and i would NOT disclose
the difference between a 404 and 500.
Based on the various posts here and several comments on Scott Gu's blog, hiding a 404 appears to have made some members uncomfortable (what will my users see... what will the search engines see...). Please keep in mind that this is currently a temporary
thing and is expected to no longer be necessary when a patch is released.
Sep 22, 2010 09:47 AM|owjeff|LINK
This explains the reason why 404 and 500 have to be the same: