Home | Shorter Path | About Me
Home
About Me
RSS Feed

Planners (you know you want it)

Archive

2004

01

02

03

04

05

06

07

08

09

10

11

12

 

2005

01

02

03

04

05

06

07

08

09

10

11

12

 

2006

01

02

03

04

05

06

07

08

09

10

11

12


Blogroll
 
Borland
Allen Bauer
Anders Ohlsson
Chris Bensen
Malcolm Groves
Michael Swindell
Steve Trefethen
Borland Blogs
TeamB
TeamB Blog Server
Nick Hodges
Other
Algorithms for the Masses
Brad Abrams
Chris Brumme
Chris Pratley
Dan Miser
Don Box
Falafel Flogs
iunknown.com
Joel on Software
Matt Pietrek
Suzanne Cook
The Daily WTF
The New Old Thing
Wintellog

New ASP.NET vulnerability

Wednesday, October 06, 2004 10:29 AM

Microsoft just published some information about a new ASP.NET vulnerability. According to the web page, an attacker could exploit this vulnerability to view secured content on a server without providing the proper credentials. This issue affects any version of ASP.NET.

At the moment, Microsoft recommends implementing the suggestion made in KB article 887459 ("Programmatically Checking for Canonicalization Issues with ASP.NET"). The article provides C# and VB.NET code samples. If you're using Delphi 8, open the Global.pas file and edit the Application_BeginRequest method:

procedure TGlobal.Application_BeginRequest(sender: System.Object; e: EventArgs);
begin
  if (Request.Path.IndexOf('\') >= 0) or
    (System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
    raise HttpException.Create(404, 'not found');
end;

Make sure you add System.IO to your uses clause to compile the code.

|

Copyright 2004 Yorai Aminov