开发者

Oracle padding security related query

问答 作者:

I am still unable to figure out the following which are related to Oracle padding security issue. The no. 1 po开发者_如何学Cint is in general which I wanted to know the easy way to change the Machine key. The no. 2 point is related to Security issue.

  1. If I change the machine key then how easily I can change the user passwords stored in the DB. User passwords are also encrypted with same machine key. Changing the key will make passwords to become invalid. Please correct me if I am mistaken.
  2. In webresource.axd?d=..., What is the data type stored in 'd' parameter. How it will allow to download any arbitrary file. I know only that it can allow embedded resources to download. But can someone show an example to download web.config file using webresource.axd. Everybody talks that web.config can be downloaded but I did not find an example of doing that.

I will be glad to know if someone can answer with simple example. Please do not point me to ScotGu blog and after reading his blog and recommendation I do not want to visit his blog again and am surprised to know how he is leading asp.net team.

I'll try to answer your questions from what I have learned about the issue so far.

  1. User passwords in the DB are not at all related to the machine key of the app. The ASP.NET worker process by default generates a new machine key every time your app is restarted.
    (Thus, if the DB passwords were dependent on the machine key, they would become invalid in every few days.)

  2. About downloading Web.config, we don't really know. Some people think that it is dependent on another security hole. If you use MVC (or WebForms without these), it is the safest if you disable the .axd requests. (Handle *.axd with HttpForbiddenHandler)

For example:

<httpHandlers>
    ...
    <remove verb="*" path="*.axd"/>
    <add validate="false" verb="*" path="*.axd" type="System.Web.HttpForbiddenHandler, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</httpHandlers>

Or do the same in the system.webServer section if you are using IIS 7.

继续阅读:security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9