ASP.Net表單認證的漏洞問題
剛剛看到一個ASP.Net表單認證的漏洞問題,
大致上的意思是說,
當我們有某個資料夾不允許匿名存取時,
我們可以用在web.config中的authentication作些設定,
因此如果你用IE去存取這個資料夾的時候(如:http://localhost/site/secure/default.aspx)
你會被導向定義好的登入頁面,
但是,如果你輸入的網址是經過修改的(如:http://localhost/site/secure\default.aspx 將 / 改成 \ )
這樣的話,你就不會被導向登入的頁面而可以直接看到指定的網頁.
而除了將 / 改成 \ 外,
也可以改成%5C或是\%5C
如 http://localhost/site/secure%5Cdefault.aspx
或 http://localhost/site/secure\%5Cdefault.aspx
也可能可以使用...而這是跟Client端的瀏覽器有關係..
因為有些瀏覽器會先將URL作些處理後再發送到主機..
而受影響的主機是所有windows 2003之前,有裝.NET framework的主機,
而解決的方法是安裝 URLScan 還有 IIS Lockdown Tool
相關文章
Major ASP.NET Forms Authentication Vulnerability Found
http://asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=709506
What You Should Know About a Reported Vulnerability in Microsoft ASP.NET
http://www.microsoft.com/security/incident/aspnet.mspx
Alert – ASP.NET Security Issue and Guidance
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=711220
ASP.NET authentication security bug in IIS4/IIS5(ASP.NET on IIS6 Windows 2003 is not affected)
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/10/02/27441.aspx
New Vulnerablility in Asp.Net Forms Authentication which allows malicious users to read "private pages"
http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754
ASP.NET vulnerability is not ONLY on Forms Autentication... Windows autentication is vulnerable too!!!
http://weblogs.asp.net/lbarbieri/archive/2004/10/02/237049.aspx
Major ASP.NET Forms Authentication vulnerability found!
http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237042.aspx
ASP.NET Forms vulnerability does not only affect Forms Authentication!
http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237055.aspx
建置安全的 ASP.NET 應用程式:驗證、授權和安全通訊
http://www.microsoft.com/taiwan/msdn/books/ataglance/SecNetHT04.htm
ASP.NET 快速入門教學課程 - 表單架構驗證
http://cht.gotdotnet.com/quickstart/aspplus/doc/formsauth.aspx
URLScan Security Tool version 2.0
http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp