Jose Blanco's Weblog: Old bugs in new software(thoughts about MOBILE, .NET and generic things)

(Viejos agujeros en el nuevo software)

Upss..., it isn't official, but could be a bug in ASP.Net which let users read authorized files through a problem in canonicalization of the URLs.(The article is in http://www.microsoft.com/security/incident/aspnet.mspx)

The "Programmatically check for canonicalization issues with ASP.NET" article gives you a explanation and a solution?¿ for this problem, but I post here the code for vb and C#.

Put in the Application_BeginRequest event handler of the Global.asax file.

Visual Basic .NET



<script language="vb" runat="server">

  Sub Application_BeginRequest(Sender as Object, E as EventArgs)

    If (Request.Path.IndexOf(chr(92)) >= 0 OR System.IO.Path.GetFullPath Request.PhysicalPath) <> Request.PhysicalPath) then

      Throw New HttpException(404, "Not Found")

    End If

  End Sub

</script>



<script language="C#" runat="server">

  void Application_BeginRequest(object source, EventArgs e){

    if (Request.Path.IndexOf('\\') >= 0 System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {

      throw new HttpException(404, "not found");

    }

  }

</script>

Permalink: Old bugs in new software

Jose Blanco's Weblog

Thursday, October 07, 2004

Old bugs in new software

0 Comments:

About Me

Links

Previous Posts

Search this site