<2017 September>
SunMonTueWedThuFriSat
272829303112
3456789
10111213141516
17181920212223
24252627282930
1234567

On this page...

Search

Links

Member of...


ASP Insiders

MVP Visual Developer ASP/ASP.NET

Enter CodeZone

Blog Categories

Microsoft

Blogroll

Deutsche Resourcen

Management

Sign In
 

#  Wednesday, 06 October 2004

Early Tuesday morning last week, I already had a blog entry up with exactly that title. However, I took it down because Scott Guthrie did ask to buy some time for his ASP.NET team which was already working on a fix for the zero-day exploit reported on NTBugtraq. I changed my entry to Two of the most important security mailing lists, an article containing useful advice– especially programmers are usually not subscribed to these lists, and this I consider to be bordering on irresponsible these days.

To get back to the security bug in Forms Authentication: the ASP.NET team has posted a KB article and a security alert. Turn to implementing the workaround options immediately!

An IIS best practice using URLScan for the backslash canonicalization issue found in ASP.NET was brought up independently by Stephan on our German ASP.NET mailing list last Tuesday. Too bad that we had to advise lots of people to install a tool that was readily available for years!

Bootnote: Hadn’t it been a security vulnerability for ASP.NET, I would have never even considered taking my blog entry down (the ASP.NET team is just absolutely fabulous and their support for the community rocks). I flat-out do not believe that one helps the good guys by not telling them about publicly known zero day exploits (NTBugtraq isn’t just any mailing list after all, and shooting the messenger never was a brilliant solution). This is why the German ASP.NET community knew about the sploit before 7:30AM CET on Tuesday. Even if we hadn’t found a workaround, disabling vulnerable sites would still have been a much better choice than being hacked without knowing.

Categories: ASP.NET | Security
Wednesday, 06 October 2004 07:28:25 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



© Copyright 2017 Christoph Wille

newtelligence dasBlog 2.3.9074.18820
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.   RSS 2.0|Atom 1.0  Send mail to the author(s)

 
Don't contact us via this (fleischfalle@alphasierrapapa.com) email address.