Tag Archives: IIS

Custom ErrorDocuments Available For Download

After writing so much about the ASP.NET cryptographic padding oracle exploit, and the recommended workaround of a static error document, it dawned on me that I should probably make some custom error documents for my domains.

And then I decided I should share them. So, if you’re so inclined, you can download the custom error documents I use on this site. I release all code under the latest version of the GNU GPL.

I’ve created pages for 401 (unauthorized), 403 (forbidden), 404 (not found) and 500 (internal server) HTTP errors.

I designed these to be valid XHTML 1.0; to appear well in all screen resolutions from 1024 x 768 and greater; and to appear the same on most Web browsers. (Of course, I exclude Internet Explorer prior to version 7 from that list.)

This little exercise also gave me a chance to play with the Google Font API. There aren’t a lot of fonts available yet, but using the API couldn’t be simpler.

Instructions on implementing custom error document on Apache can be found here. Microsoft documents how to add customError files to your ASP.NET web.config file here.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/custom-errordocuments-available-for-download

ASP.NET Crypto Exploit Patch Ships Tuesday, Sept. 28

Scott Guthrie noted on his blog that Microsoft will ship, on Tuesday, a hotfix for the ASP.NET cryptographic padding oracle exploit. It is to be released at 10 a.m. PDT; that’s 1 p.m. EDT / 17:00 GMT.

Guthrie says the patch has been fully tested and, once installed, removes the need for the previously published workarounds. As in, after you install this patch, you can turn off custom errors or use custom error files for specific errors.

Glad Microsoft worked this out so quickly. Don’t fail to get and apply this patch.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-ships-tuesday-sept-28

Microsoft Urges URLScan Implementation To Combat Crypto Vulnerability

In a further update on how to combat the ASP.NET CryptographicException hack, Microsoft is now urging webmasters to use the URLScan utility to further thwart oracle attempts.

In a blog post on Friday, Scott Guthrie, corporate vice president of .NET at Microsoft, said the step — which removes aspxerrorpath as an allowed querystring variable — “prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.”

URLScan is an Internet Information Server (IIS) extension. If you manage your own IIS server, you should follow the instructions at Guthrie’s blog post to download, install and configure the workaround.

If you are on shared or managed hosting, check with your Web host’s tech support department to see if they have implemented, or will implement, this step for you.

Again, this is a serious threat that is fully scripted, meaning any malcontent — including one with no practical programming skill — can exploit a site with widely available tools.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/microsoft-urges-urlscan-implementation-to-combat-crypto-vulnerability

FAQ Released For Microsoft ASP.NET CryptographicException Attack

Scott Guthrie, Microsoft’s corporate vice president for the .NET platform, posted on his blog late Monday a FAQ about the ASP.NET CryptographicException vulnerability.

Highlights:

  • All versions of ASP.NET are affected. That includes WebForms and MVC versions 1 and 2.
  • Sharepoint is affected, too. A workaround on how to employ a new generic error document for Sharepoint is detailed at that team’s blog.
  • Everyone should employ the recommended workarounds.
  • You have to route all HTTP errors to the workaround’s generic error page. Otherwise, the hack still works.
  • A patch will be released as a Windows Update hotfix, but no release date has been set yet.
  • Check your logs for CryptographicException errors. If you see them, it’s possible you are being probed.

I take this very seriously. There’s a tool and video tutorial out there detailing how to run this exploit, so every script kiddie in the world is looking for sites to exploit, I am sure.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/faq-released-for-microsoft-asp-net-cryptographicexception-attack