ASP.Net Vulnerability and SharePoint

UPDATE 09/28/10: Check out new security bulletin to download updates http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx

You may have already read these articles. If not, please do it right now.

http://www.microsoft.com/technet/security/advisory/2416728.mspx

http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

I will not repeat the message in those posts, but you should follow the instructions to prevent potential attacks.

So how about SharePoint Server 2007 and WSS 3.0? It’s not on SharePoint Team Blog (yet).

You may need to follow the workaround for ASP.Net 1.0~3.5:

  • Put error.html in %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\12\template\layouts
  • Modify web.config in each directory under %SystemDrive%\inetpub\wwwroot\wss\virtualdirectories to have a customerror section like this: <customErrors mode="On" defaultRedirect="/_layouts/error.html" />
  • IISRESET /NOFORCE

Update: 2007/WSS3 is not vulnerable to the attack. No workaround is needed right now, but you still need to apply the fix when it come out.

Please follow the updated SP team blog post for 2007 issue:

http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

How to validate? Can I type in some non-existing pages to test if web.config changes work on SharePoint?

The answer would be no. When you try to access a non-existing page on a SharePoint site with a modified web.config you will still have 404 codes. But SharePoint has its own custom error handler to generate those 404s for non-existing pages, which will not be able to be used directly by the attack. The workaround will be able to prevent error codes from being generated by accessing certain ASP.Net resources, and it would work if you followed the steps correctly.

Just remember, the ultimate solution is the upcoming ASP.Net fix. This workaround is just temporary, get you protection before the patch is released. Once it’s released, apply the fix and then restore your web.config to the original ones.

Jie