ASP.NET POET Vulnerability - Revision history

Gfedon: /* Not reccomended Fixes (via web.config change) */

2010-10-04T20:08:39Z

‎Not reccomended Fixes (via web.config change)

Gfedon: /* Blogs, News, Articles */

2010-10-04T20:06:55Z

‎Blogs, News, Articles

Gfedon: /* Blogs, News, Articles */

2010-10-04T20:06:28Z

‎Blogs, News, Articles

Gfedon: /* Not reccomended Fixes (via web.config change) */

2010-10-04T20:06:04Z

‎Not reccomended Fixes (via web.config change)

Gfedon: /* Not reccomended Fixes (via web.config change) */

2010-10-04T20:05:41Z

‎Not reccomended Fixes (via web.config change)

Gfedon: /* Fixes (via web.config change) */

2010-10-04T20:05:01Z

‎Fixes (via web.config change)

Gfedon: /* Fixes (via web.config change) */

2010-10-04T20:04:42Z

‎Fixes (via web.config change)

Gfedon: /* Blogs, News, Articles */

2010-10-04T20:02:16Z

‎Blogs, News, Articles

ParanoidMike: Added introductory sentences as a first step towards Dinis' recommended "good/objective description of the problem, good technical desciption of the problem and tons of references"

2010-09-20T21:45:35Z

Added introductory sentences as a first step towards Dinis' recommended "good/objective description of the problem, good technical desciption of the problem and tons of references"

ParanoidMike: Added link to YouTube video

2010-09-20T21:01:31Z

Added link to YouTube video

@@ Line 5: / Line 5: @@
 * Microsoft Security Advisory (2416728) : http://www.microsoft.com/technet/security/advisory/2416728.mspx
-=== Not reccomended Fixes (via web.config change)===
+=== Recommended Fixes ===
 * Important: ASP.NET Security Vulnerability  (ScottGu's blog) http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
 * DotNetNuke ASP.NET Security Vulnerability Fix: http://www.subodh.com/Blog/PostID/116/DotNetNuke-ASP-NET-Security-Vulnerability-Fix
-Why we do not reccomend these workarounds
+Why we do not recommend these workarounds
 * ["T" exploit 200 vs 404 response status]: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
 * ["T" exploit attack]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html

@@ Line 23: / Line 23: @@
 * Video demonstration of using POET tool to attack vulnerable ASP.NET deployment http://www.youtube.com/watch?v=yghiC_U2RaM
 * Google Search: http://www.google.co.uk/search?q=ASP.NET+vulnerability
 * Webconfig_Bruter (first public exploit for file downloading): http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 * Padbuster v0.3 can now download Web.config and much more: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/

@@ Line 23: / Line 23: @@
 * Video demonstration of using POET tool to attack vulnerable ASP.NET deployment http://www.youtube.com/watch?v=yghiC_U2RaM
 * Google Search: http://www.google.co.uk/search?q=ASP.NET+vulnerability
-* Webconfig_Bruter (first publick exploit for file downloading): http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
+* Webconfig_Bruter (first public exploit for file downloading): http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
 * Padbuster v0.3 can now download Web.config and much more: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/

@@ Line 10: / Line 10: @@
 Why we do not reccomend these workarounds
-* ["T" exploit 200 vs 404 response status]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
+* ["T" exploit 200 vs 404 response status]: http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/
 * ["T" exploit attack]: http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html

@@ Line 7: / Line 7: @@
 === Not reccomended Fixes (via web.config change)===
 * Important: ASP.NET Security Vulnerability  (ScottGu's blog) http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
 * DotNetNuke ASP.NET Security Vulnerability Fix: http://www.subodh.com/Blog/PostID/116/DotNetNuke-ASP-NET-Security-Vulnerability-Fix
 ===Blogs, News, Articles===

@@ Line 1: / Line 1: @@
 __TOC__
-This page contains details about the recently disclosed ASP.NET POET Vulnerability:
+This page contains details about the ASP.NET POET vulnerability disclosed on 2010-09-17. This vulnerability exists in all versions of ASP.NET (all  versions released through 2010-09-18).  As of 2010-09-20, there is no fix available to resolve the vulnerability; in the meantime, Microsoft strongly urges all ASP.NET deployments [http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx| perform the recommended workaround] to mitigate the vulnerability in the short-term.
 ===Advisory===

@@ Line 17: / Line 17: @@
 * Argentina joins Axis of Evil with zero day ASP.NET exploit http://www.techeye.net/security/argentina-joins-axis-of-evil-with-zero-day-asp-net-exploit
 * Padding Oracle Exploit Tool http://netifera.com/research/
-* Google Search: http://www.google.co.uk/search?q=ASp.NET+vulnerability
+* Video demonstration of using POET tool to attack vulnerable ASP.NET deployment http://www.youtube.com/watch?v=yghiC_U2RaM
 === discussion Threads===