www.leastprivilege.com - Serious ASP.NET Forms Authentication Vulnerability

Thursday, September 30, 2004

Serious ASP.NET Forms Authentication Vulnerability

forwarded from OWASP-DOTNET read the whole story here for some examples of vulnerable and not vulnerable web.config settings.

It seems from the original mail that microsoft wasn't even contacted before disclosing this vulnerability which is extremely bad style.

this is serious!

Date: Tue, 14 Sep 2004 12:42:28 +0100
From: Toby Beaumont <toby:nospam.CREATOR.CO.UK>
Subject: Security bug in .NET Forms Authentication

We believe we have discovered a serious flaw in .NET forms authentication when used to secure sub folders.

A standard forms authentication setup requires the presence of "web.config"

to set the authentication method and login procedure. The presence of this file prevents access to certain files (.aspx files for example) unless authenticated.

Example

-------

The webroot for your website is:

c:\inetpub\wwwroot\mysite

You want to secure files in a sub directory "secure"

c:\inetpub\wwwroot\mysite\secure\web.config

A request to http://localhost/secure/somefile.aspx would then redirect the user to a predefined authentication page, as defined in web.config, before allowing the user access to "somefile.aspx".

Bug

---

1. Using Mozilla not IE, you make a request to http://localhost/secure\somefile.aspx
The use of a backslash rather than a forward slash appears to bypass the expected authentication model invoked in .NET forms authentication

2. Using IE, you make a request to http://localhost/secure\somefile.aspx -
IE automatically replaces the backslash "\" with a forward slash "/" and everything appears fine. However, replace the backslash "\" with %5C (%5C being hex value for \) and all is not so fine:

http://localhost/secure%5Csomefile.aspx

Work in Progress
Thursday, September 30, 2004 8:50:55 AM UTC