Ah...and that is scriptable I bet. That changes my view. From: Andrew S. Baker [mailto:[email protected]] Sent: Thursday, January 05, 2012 8:54 AM To: NT System Admin Issues Subject: Re: MS11-100
And must be able to register an account on the site. Not as hard as you might imagine for some websites... ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Thu, Jan 5, 2012 at 9:35 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: Confusing: "The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET<http://ASP.NET> site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET<http://ASP.NET> site, and must know an existing user name." http://technet.microsoft.com/en-us/security/bulletin/ms11-100 So...an unauthenticated attacker needs to know an existing user name? David Lum Systems Engineer // NWEATM Office 503.548.5229<tel:503.548.5229> // Cell (voice/text) 503.267.9764<tel:503.267.9764> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
