Feeds

MS bitten by old .NET vulnerability

Cross-site scripting again

  • alert
  • submit to reddit

Intelligent flash storage arrays

Numerous installations of Microsoft ASP.NET are vulnerable to cross-site scripting (CSS), according to a recent post by Johannes Westerink to the BugTraq mailing list.

CSS leverages JavaScript and makes it possible to place a malicious URL in an e-mail or on a Web site, which if followed will compromise the user's machine by various means, including exposing shares and/or retrieving data files such as cookies.

JavaScript can also be executed on a remote server using malicious URLs. There are numerous possible attacks; but for one common example, a 404 page may be generated with the added bonus of full path disclosure.

Examples discovered by Westerink include:

http://www.msn.com/~/&ltscript&gtalert(document.cookie)</script&gt.aspx?aspxerrorpath=null
http://my.msn.com/~/&ltscript&gtalert(document.cookie)</script&gt.aspx?aspxerrorpath=null
http://dotnet.microsoft.com/&ltscript&gtalert(document.cookie)</script&gt.aspx
http://terraserver.microsoft.net/&ltscript&gtalert(document.cookie)</script&gt.aspx
http://support.microsoft.com/~/&ltscript&gtalert(document.cookie)</script&gt.aspx?aspxerrorpath=null
http://office.microsoft.com/~/&ltscript&gtalert(document.cookie)</script&gt.aspx?aspxerrorpath=null
http://communities.microsoft.com/~/&ltscript&gtalert(document.cookie)</script&gt.aspx
http://uddi.microsoft.com/~/&ltscript&gtalert(document.cookie)</script&gt.aspx

Westerink says he contacted MS about the issue six months ago but never got a reply.

Meanwhile, Internet security and privacy consultant Richard M. Smith, who now maintains the site ComputerBytesMan.com, "checked in with Microsoft about this problem and was told that this is a known bug that was fixed in ASP.NET before the final software was shipped."

So MS got the message all right, but somehow neglected to mention it to anyone, or even thank Westerink for bringing it to their attention.

"The various Microsoft Web servers that still have the bug are running pre-release versions of ASP.NET," Smith adds. "It looks like Microsoft also has trouble keeping up with security patches and updates."

One hopes they'll have got this sorted by press time.... ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.