5

The Asp.Net Vulnerability and DotNetBlogEngine.Net

by Jon 20. September 2010 21:34

A FIX HAS NOW BEEN RELEASED BY MICROSOFT, download from here

Looking at ScottGu's Post and DotNetBlogEngine.Net configuration it looks like DotNetBlogEngine may be one of the Web applications that is vulnerable in the out of the box configuration (I'm not 100% sure and I cant find anyone on the dotnetblogengine forums about it).  Its still not especially clear but it looks like we need to take these steps to take to secure our blogs.  Better safe than sorry, until the underlying problem is fixed?

Replace the Custom Errors in Web.Config

<customErrors mode="RemoteOnly" defaultRedirect="~/error404.aspx" />
   <error statusCode="404" redirect="error404.aspx" />
</customErrors>

With

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/fail.aspx" />

 

Then Add a new File Called fail.aspx to the root folder:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
        
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>

For more information on the Problem and details of the fix please look at scott's post

Tags: , ,

asp.net | BlogEngine | scottgu

Comments (5) -

Michael
Michael United States
27/09/2010 21:35:24 #

With the most recent update on Scott Guthrie's post on this ASP.NET vulnerability, what exceptions to the URLScanner need to be made to facilitate BlogEngine.NET?

Jon
Jon United Kingdom
27/09/2010 22:06:46 #

Michael

From what I have read on Scotts update there is a now a sledgehammer approach to fix the problem with UrlScan, by disabling error pages by adding 'aspxerrorpath=' to the UrlScan ini file.

Scotts updated post is here:
weblogs.asp.net/.../...-asp-net-vulnerability.aspx

Michael
Michael United States
27/09/2010 22:23:09 #

It disables some of my blogs...so the question, as before, is how do I fix the uriscan.ini file to keep this from blocking BE.NET extensions?

Jon
Jon United Kingdom
27/09/2010 22:44:57 #

Perhaps don't go for the urlscan fix, go for the patch instead?  Url scan blocks specific url patterns but it sounds like it is blocking too much in your case?

Not sure what else to suggest, I wrote this Blog post because I couldn't find anything on BE forums about the vulnerability and wanted to do something to secure my site.  I'm hoping we will get an official reply from BlogEgine, and better still an official fix from Microsoft ASAP.  As I said in the post its all a little unclear.  Following scott and keeping an eye open on posts is the best we can do I guess..

Jon
Jon United Kingdom
27/09/2010 23:11:33 #

Microsoft/Scott have just announced an official fix to this problem:
weblogs.asp.net/.../...ping-tuesday-sept-28th.aspx

Add comment




  Country flag
biuquote
  • Comment
  • Preview
Loading


Powered by BlogEngine.NET 2.0.0.36
Original Design by Laptop Geek, Adapted by onesoft, and finally some tiny tweaks by JonAlb