ASP.NET - Security Vulnerability (Cryptographic Oracles) and web services
Just reading about this ASP.NET security vurnerability.
Just wondering if this could be used to attack a WCF service h开发者_开发百科osted under IIS to get to its web.config or if its a pure ASP.NET vurnerability
Yes you can be affected.
I am having a hard time understanding the full details of this attack, but it is a fundamental problem with ASP.Net and anything that runs on it is affected.
If someone can reach your server, they can send an invalid request, get the error page and proceed with the attack.
Other people have specifically asked about services and it was mentioned that they are affected.
I can not see how can some one attack the WCF Service using the Oracle technique.
Anyway WCF need a good design and take measure about security because by him self there are functions that return data with out any check except if you create this check.
Also : How serious is this new ASP.NET security vulnerability and how can I workaround it?
FYI, a patch for this bug has been released on Windows Update.
http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx
精彩评论