[karsten samaschke]ASP.NET daily. Or weekly.ASP.NET Forms vulnerability does not only affect Forms Authentication!- October 2, 2004 It gets worse and worse: As Lorenzo Barbieri states in is weblog (http:weblogs.asp.netlbarbieriarchive20041002237049.aspx), the - and %5c-vulnerability does not only affect Forms Authentication: It also affects Windows Authentication! If you secure a path - say: http:localhostsitesecuredefault.aspx - and the client (=browser) tries to access the resource using Backslashes or (even worse) the hexadecimal representation (http:localhostsitesecuredefault.aspx or...http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237055.aspx Major ASP.NET Forms Authentication vulnerability found!- October 2, 2004 A major ASP.NET Forms Authentication vulnerability has been found! In short: When you secure sub-directories using Forms Authentication, you'll usually define this in your web.config. If you use IE to access a sub-directory - for example http:localhostsitesecuredefault.aspx - you'll be redirected to the defined login page. This will also happen, when you have a typo - say: http:localhostsitesecuredefault.aspx (note the backslash). But - and this is the bug - it wont happen with...http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237042.aspx Got my 4th MVP award!- October 2, 2004 Two days ago I was informed about my fourth MVP award. I'm really proud of this and I want to thank Microsoft for this. And I will continue to do community work. This is a promise!http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237040.aspx Having been off for nearly four months...- October 2, 2004 ...but I was quite busy: I wrote my very first Java book. And I worked a lot. And I finally bought a new laptop - it is an IBM ThinkPad R50p, which I don't want to miss anymore... :-)http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237039.aspx |