What you should know about a new Vulnerability in ASP.NET

Microsoft is currently investigating a reported vulnerability in ASP.NET (does not affect ASP) where an attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This issue affects anyone running any version of ASP.NET on Microsoft Windows 2000 Professional, 2000 Server, XP Professional, and 2003 Server.

The issue at hand really is that asp.net does not perform a proper canonicalization (will get to what it is in a minute) of some URLs.

So what should you do?

Good question, to begin add additional canonicalization safeguards to your Web application. To easily do this add the Application_BeginRequest event handler in your Global.asax file. Since, this event handler executes for each Web request, it is a convenient location to insert code to help safeguard against canonicalization issues. Here is a sample:

1
2
3
4
5
6

void Application\_BeginRequest(object source, EventArgs e) {  
    if (Request.Path.IndexOf('\\\\') >= 0 ||  
        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {  
        throw new HttpException(404, "not found");  
    }  
}

What is Canonicalization? It is the process by which various equivalent forms of a name can be resolved to a single, standard name - the so-called canonical name. Data in canonical form is in its most standard or simplest form. Canonicalization is the process of converting data to its canonical form. File paths and URLs are particularly prone to canonicalization issues and many well-known exploits are a direct result of canonicalization bugs.

For example, consider the following string that contains a file and path in its canonical form:
c:\\temp\\somefile.dat

The following strings could also represent the same file:

• somefile.dat
• c:\temp\subdir\..\somefile.dat
• c:\  temp\   somefile.dat
• ..\somefile.dat
• c%3A%5Ctemp%5Csubdir%5C%2E%2E%5Csomefile.dat

In the example above, characters have been specified in hexadecimal form:

• %3A is the colon character.
• %5C is the backslash character.
• %2E is the dot character.

You should generally try to avoid designing applications that accept input file names from the user to avoid canonicalization issues. Consider alternative designs instead. For example, let the application determine the file name for the user.

If you do need to accept input file names, make sure they are strictly formed before making security decisions such as granting or denying access to the specified file.

More Information:

• http://tinyurl.com/535c3
• http://tinyurl.com/57y87
• http://tinyurl.com/4lzuj