Professional Web Applications Themes

Massive ASP.Net Forms Authentication vulnerability - ASP.NET Security

[url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url] This is, IMNSHO, the worst thing I've ever heard of. Spread the word, test your sites, and send angry emails to Microsoft. --- Greg Hurlman ghurlman*AT*squaretwo*DOT*net [url]http://blogs.squaretwo.net[/url]...

  1. #1

    Default Massive ASP.Net Forms Authentication vulnerability

    [url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]

    This is, IMNSHO, the worst thing I've ever heard of.

    Spread the word, test your sites, and send angry emails to Microsoft.
    ---
    Greg Hurlman
    ghurlman*AT*squaretwo*DOT*net
    [url]http://blogs.squaretwo.net[/url]
    Greg Hurlman Guest

  2. #2

    Default Re: Massive ASP.Net Forms Authentication vulnerability

    This seems to me like an absolutely massive security hole, but I see
    it was posted to various security lists TWO WEEKS ago without any
    response. What's Microsoft waiting for??




    On Thu, 30 Sep 2004 06:17:02 -0700, Greg Hurlman
    <ghurlman*AT*squaretwo*DOT*net> wrote:
    >[url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]
    >
    >This is, IMNSHO, the worst thing I've ever heard of.
    >
    >Spread the word, test your sites, and send angry emails to Microsoft.
    >---
    >Greg Hurlman
    >ghurlman*AT*squaretwo*DOT*net
    >[url]http://blogs.squaretwo.net[/url]
    Mike Bridge Guest

  3. #3

    Default Re: Massive ASP.Net Forms Authentication vulnerability

    Hmm... this exploit affects URLs for localhost, but I can't seem to
    get it to work on a regular URL....

    -Mike

    On Thu, 30 Sep 2004 06:17:02 -0700, Greg Hurlman
    <ghurlman*AT*squaretwo*DOT*net> wrote:
    >[url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]
    >
    >This is, IMNSHO, the worst thing I've ever heard of.
    >
    >Spread the word, test your sites, and send angry emails to Microsoft.
    >---
    >Greg Hurlman
    >ghurlman*AT*squaretwo*DOT*net
    >[url]http://blogs.squaretwo.net[/url]
    Mike Bridge Guest

  4. #4

    Default Re: Massive ASP.Net Forms Authentication vulnerability

    What about installing UrlScan.

    I did that a year ago or so....

    --
    Daniel Fisher(lennybacon)
    MCP C# ASP.NET
    Blog: [url]http://www.lennybacon.com/[/url]




    "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
    news:7FAE1C11-2A1D-46E4-83C9-441BE8B2944Emicrosoft.com...
    > [url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]
    >
    > This is, IMNSHO, the worst thing I've ever heard of.
    >
    > Spread the word, test your sites, and send angry emails to Microsoft.
    > ---
    > Greg Hurlman
    > ghurlman*AT*squaretwo*DOT*net
    > [url]http://blogs.squaretwo.net[/url]

    Daniel Fisher\(lennybacon\) Guest

  5. #5

    Default Re: Massive ASP.Net Forms Authentication vulnerability

    Greg,
    I have confirmed this security hole on XP Professional with IE6. This is a
    reminder to the companies- never solely rely on microsoft for their
    application security.

    Thanks,
    Prodip

    "Greg Hurlman" <ghurlman*AT*squaretwo*DOT*net> wrote in message
    news:7FAE1C11-2A1D-46E4-83C9-441BE8B2944Emicrosoft.com...
    >
    [url]http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754[/url]
    >
    > This is, IMNSHO, the worst thing I've ever heard of.
    >
    > Spread the word, test your sites, and send angry emails to Microsoft.
    > ---
    > Greg Hurlman
    > ghurlman*AT*squaretwo*DOT*net
    > [url]http://blogs.squaretwo.net[/url]

    Prodip Saha Guest

Similar Threads

  1. Replies: 1
    Last Post: November 10th, 03:44 PM
  2. ASP.Net Forms authentication with basic authentication popup
    By Brett Porter in forum ASP.NET Security
    Replies: 2
    Last Post: January 20th, 02:17 PM
  3. Replies: 1
    Last Post: October 20th, 06:04 PM
  4. Authentication ticket, cookieless, forms authentication?
    By Lauchlan M in forum ASP.NET Security
    Replies: 0
    Last Post: October 1st, 12:23 AM
  5. Forms authentication with Windows authentication
    By Dadi in forum ASP.NET Security
    Replies: 2
    Last Post: September 16th, 04:47 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139