What you should know about a new Vulnerability in ASP.NET

Microsoft is currently investigating a reported vulnerability in ASP.NET (does not affect ASP) where an attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This issue affects anyone running any version of ASP.NET on Microsoft Windows 2000 Professional, 2000 Server, XP Professional, and 2003 Server.

The issue at hand really is that asp.net does not perform a proper canonicalization (will get to what it is in a minute) of some URLs.

So what should you do? Good question, to begin add additional canonicalization safeguards to your Web application. To easily do this add the Application_BeginRequest event handler in your Global.asax file. Since, this event handler executes for each Web request, it is a convenient location to insert code to help safeguard against canonicalization issues. Here is a sample:

void Application_BeginRequest(object source, EventArgs e) {
    if (Request.Path.IndexOf(‘\\’) >= 0 ||
        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
        throw new HttpException(404, “not found”);
    }
}

What is Canonicalization? It is the process by which various equivalent forms of a name can be resolved to a single, standard name – the so-called canonical name. Data in canonical form is in its most standard or simplest form. Canonicalization is the process of converting data to its canonical form. File paths and URLs are particularly prone to canonicalization issues and many well-known exploits are a direct result of canonicalization bugs.

For example, consider the following string that contains a file and path in its canonical form:
c:\temp\somefile.dat

The following strings could also represent the same file:

  • somefile.dat
  • c:\temp\subdir\..\somefile.dat
  • c:\  temp\   somefile.dat
  • ..\somefile.dat
  • c%3A%5Ctemp%5Csubdir%5C%2E%2E%5Csomefile.dat

In example above, characters have been specified in hexadecimal form:

  • %3A is the colon character.
  • %5C is the backslash character.
  • %2E is the dot character.

You should generally try to avoid designing applications that accept input file names from the user to avoid canonicalization issues. Consider alternative designs instead. For example, let the application determine the file name for the user.

If you do need to accept input file names, make sure they are strictly formed before making security decisions such as granting or denying access to the specified file.

More Information:

Published by

Amit Bahree

This blog is my personal blog and while it does reflect my experiences in my professional life, this is just my thoughts. Most of the entries are technical though sometimes they can vary from the wacky to even political – however that is quite rare. Quite often, I have been asked what’s up with the “gibberish” and the funny title of the blog? Some people even going the extra step to say that, this is a virus that infected their system (ahem) well. [:D] It actually is quite simple, and if you have still not figured out then check out this link – whats in a name?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.