Early Tuesday morning last week, I already had a blog entry up with exactly that title. However, I took it down because Scott Guthrie did ask to buy some time for his ASP.NET team which was already working on a fix for the zero-day exploit reported on NTBugtraq. I changed my entry to Two of the most important security mailing lists, an article containing useful advice– especially programmers are usually not subscribed to these lists, and this I consider to be bordering on irresponsible these days.
To get back to the security bug in Forms Authentication: the ASP.NET team has posted a KB article and a security alert. Turn to implementing the workaround options immediately!
An IIS best practice using URLScan for the backslash canonicalization issue found in ASP.NET was brought up independently by Stephan on our German ASP.NET mailing list last Tuesday. Too bad that we had to advise lots of people to install a tool that was readily available for years!
Bootnote: Hadn’t it been a security vulnerability for ASP.NET, I would have never even considered taking my blog entry down (the ASP.NET team is just absolutely fabulous and their support for the community rocks). I flat-out do not believe that one helps the good guys by not telling them about publicly known zero day exploits (NTBugtraq isn’t just any mailing list after all, and shooting the messenger never was a brilliant solution). This is why the German ASP.NET community knew about the sploit before 7:30AM CET on Tuesday. Even if we hadn’t found a workaround, disabling vulnerable sites would still have been a much better choice than being hacked without knowing.