Kris van der Mast

Kris van der Mast

Loves technology, mainly focussed on Microsoft tech. Founded VaHa bv. Microsoft MVP since 2007, Azure Advisor, aOS ambassador. Frequent speaker at and organizer of various national and international events.

Important: ASP.NET Security Vulnerability

- 1 minute read

A couple of days ago I became aware of the following article: Security Hack Exposes Forms Authentication in ASP.NET. That never sounds good and Microsoft swiftly crafted a workaround to mitigate the attack. It simply consists of changing your web.config and adding a file with some piece of code in it.

For ASP.NET 1.0 to 3.5 use this adjustment:

<configuration> 
 <system.web> 
 <customErrors mode="On" defaultRedirect="~/error.html" /> 
 system.web> 
configuration>

For ASP.NET 3.5SP1 and 4.0 use this adjustment:

<configuration> 
 <system.web> 
 <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" /> 
 system.web> 
configuration>

You’ll also need to put that error.aspx page on your server with the following content:

VB version:

<%@ Page Language="VB" AutoEventWireup="true" %> 
<%@ Import Namespace="System.Security.Cryptography" %> 
<%@ Import Namespace="System.Threading" %> 
 
<script runat="server"> 
 Sub Page_Load() 
 Dim delay As Byte() = New Byte(/images/0) {} 
 Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() 
 
 prng.GetBytes(/images/delay) 
 Thread.Sleep(/images/CType(delay(0), Integer)) 
 
 Dim disposable As IDisposable = TryCast(/images/prng, IDisposable) 
 If Not disposable Is Nothing Then 
 disposable.Dispose() 
 End If 
 End Sub 
script> 
 
<html> 
<head runat="server"> 
 <title>Errortitle> 
head> 
<body> 
 <div> 
 Sorry - an error occured 
 div> 
body> 
html>

C version:

<%@ Page Language="C#" AutoEventWireup="true" %> 
<%@ Import Namespace="System.Security.Cryptography" %> 
<%@ Import Namespace="System.Threading" %> 
 
<script runat="server"> 
 void Page_Load() { 
 byte[] delay = new byte[1]; 
 RandomNumberGenerator prng = new RNGCryptoServiceProvider(); 
 
 prng.GetBytes(/images/delay); 
 Thread.Sleep(/images/(int)delay[0]); 
 
 IDisposable disposable = prng as IDisposable; 
 if (/images/disposable != null) { disposable.Dispose(); } 
 } 
script> 
 
<html> 
<head runat="server"> 
 <title>Errortitle> 
head> 
<body> 
 <div> 
 An error occurred while processing your request. 
 div> 
body> 
html>

Grz, Kris.

Leave a Comment

You May Also Enjoy

Reading feather files in Power BI

- 2 minute read

Now that we know how to set up our local virtual environment and install the required packages, we can start reading the feather file in Power BI. First act...

Using Python in Power BI

- 2 minute read

In the former blog post we set up the virtual environment for Python in Power BI. In this post, I will show you how to use Python in Power BI. To check Be ...

Setting up Python for Power BI

- 2 minute read

It is possible to use Python in Power BI. This is a great feature because it allows you to use Python scripts to manipulate your data. In this post, I will s...

Setting up a virtual environment in Python

- 3 minute read

Intro Python knowns the concept of virtual envirnomnets. A virtual environment is a self-contained directory tree that contains a Python installation for a ...