开发者

Oracle padding security related query

I am still unable to figure out the following which are related to Oracle padding security issue. The no. 1 po开发者_如何学Cint is in general which I wanted to know the easy way to change the Machine key. The no. 2 point is related to Security issue.

  1. If I change the machine key then how easily I can change the user passwords stored in the DB. User passwords are also encrypted with same machine key. Changing the key will make passwords to become invalid. Please correct me if I am mistaken.
  2. In webresource.axd?d=..., What is the data type stored in 'd' parameter. How it will allow to download any arbitrary file. I know only that it can allow embedded resources to download. But can someone show an example to download web.config file using webresource.axd. Everybody talks that web.config can be downloaded but I did not find an example of doing that.

I will be glad to know if someone can answer with simple example. Please do not point me to ScotGu blog and after reading his blog and recommendation I do not want to visit his blog again and am surprised to know how he is leading asp.net team.


I'll try to answer your questions from what I have learned about the issue so far.

  1. User passwords in the DB are not at all related to the machine key of the app. The ASP.NET worker process by default generates a new machine key every time your app is restarted.
    (Thus, if the DB passwords were dependent on the machine key, they would become invalid in every few days.)

  2. About downloading Web.config, we don't really know. Some people think that it is dependent on another security hole. If you use MVC (or WebForms without these), it is the safest if you disable the .axd requests. (Handle *.axd with HttpForbiddenHandler)

For example:

<httpHandlers>
    ...
    <remove verb="*" path="*.axd"/>
    <add validate="false" verb="*" path="*.axd" type="System.Web.HttpForbiddenHandler, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</httpHandlers>

Or do the same in the system.webServer section if you are using IIS 7.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜