Massive ASP.Net Forms Authentication vulnerability

Ask a Question related to ASP.NET Security, Design and Development.

  1. Greg Hurlman #1

    Default Massive ASP.Net Forms Authentication vulnerability

    [url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]

    This is, IMNSHO, the worst thing I've ever heard of.

    Spread the word, test your sites, and send angry emails to Microsoft.
    ---
    Greg Hurlman
    ghurlman*AT*squaretwo*DOT*net
    [url]http://blogs.squaretwo.net[/url]
    Greg Hurlman Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Accessing htm files without authentication (forms authentication)
      I have application with forms authentication. All works fine. When user opens .aspx file gets login form, login and then get the .aspx page. But...
    2. ASP.Net Forms authentication with basic authentication popup
      Relatively new to ASP.Net but have a strange problem. My site uses forms authentication for a large administration section however after the user...
    3. Forms authentication then redirection to a secure web with NT authentication?
      Hi, I want to allow access to particular secured intranet web sites. These intranet are stored in sharepoint (2003 version) Actually I've...
    4. Authentication ticket, cookieless, forms authentication?
      Hi. I want to use Forms Authentication, cookieless. The issue is setting the Authentication Ticket without using cookies (!) That is, the...
    5. Forms authentication with Windows authentication
      Hi, I have an ASP.NET web site that uses IIS Basic Authentication and accesses an OLAP Server at various stages. The OLAP Server authentication...
  2. Mike Bridge #2

    Default Re: Massive ASP.Net Forms Authentication vulnerability

    This seems to me like an absolutely massive security hole, but I see
    it was posted to various security lists TWO WEEKS ago without any
    response. What's Microsoft waiting for??




    On Thu, 30 Sep 2004 06:17:02 -0700, Greg Hurlman
    <ghurlman*AT*squaretwo*DOT*net> wrote:
    >[url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]
    >
    >This is, IMNSHO, the worst thing I've ever heard of.
    >
    >Spread the word, test your sites, and send angry emails to Microsoft.
    >---
    >Greg Hurlman
    >ghurlman*AT*squaretwo*DOT*net
    >[url]http://blogs.squaretwo.net[/url]
    Mike Bridge Guest
    Reply With Quote Reply With Quote
  3. Mike Bridge #3

    Default Re: Massive ASP.Net Forms Authentication vulnerability

    Hmm... this exploit affects URLs for localhost, but I can't seem to
    get it to work on a regular URL....

    -Mike

    On Thu, 30 Sep 2004 06:17:02 -0700, Greg Hurlman
    <ghurlman*AT*squaretwo*DOT*net> wrote:
    >[url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]
    >
    >This is, IMNSHO, the worst thing I've ever heard of.
    >
    >Spread the word, test your sites, and send angry emails to Microsoft.
    >---
    >Greg Hurlman
    >ghurlman*AT*squaretwo*DOT*net
    >[url]http://blogs.squaretwo.net[/url]
    Mike Bridge Guest
    Reply With Quote Reply With Quote
  4. Daniel Fisher\(lennybacon\) #4

    Default Re: Massive ASP.Net Forms Authentication vulnerability

    What about installing UrlScan.

    I did that a year ago or so....

    --
    Daniel Fisher(lennybacon)
    MCP C# ASP.NET
    Blog: [url]http://www.lennybacon.com/[/url]




    "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
    news:7FAE1C11-2A1D-46E4-83C9-441BE8B2944E@microsoft.com...
    > [url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]
    >
    > This is, IMNSHO, the worst thing I've ever heard of.
    >
    > Spread the word, test your sites, and send angry emails to Microsoft.
    > ---
    > Greg Hurlman
    > ghurlman*AT*squaretwo*DOT*net
    > [url]http://blogs.squaretwo.net[/url]

    Daniel Fisher\(lennybacon\) Guest
    Reply With Quote Reply With Quote
  5. Prodip Saha #5

    Default Re: Massive ASP.Net Forms Authentication vulnerability

    Greg,
    I have confirmed this security hole on XP Professional with IE6. This is a
    reminder to the companies- never solely rely on microsoft for their
    application security.

    Thanks,
    Prodip

    "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
    news:7FAE1C11-2A1D-46E4-83C9-441BE8B2944E@microsoft.com...
    >
    [url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]
    >
    > This is, IMNSHO, the worst thing I've ever heard of.
    >
    > Spread the word, test your sites, and send angry emails to Microsoft.
    > ---
    > Greg Hurlman
    > ghurlman*AT*squaretwo*DOT*net
    > [url]http://blogs.squaretwo.net[/url]

    Prodip Saha Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139