Info

Disclosure

Sep 14, 2004

Discovery

Unknown

Dates

Exploit

Sep 14, 2004

Solution

Unknown

Description

ASP.NET contains a flaw that may allow a malicious user to bypass authentication. The issue is triggered when a specially crafted URL which takes advantage of character handling is used to directly access a file which otherwise requires authentication. It is possible that the flaw may allow unauthorized file access resulting in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Products

Microsoft Corporation	ASP.NET	1.0
		1.1

References

Bugtraq ID: 11342
Microsoft Knowledge Base Article: 887459
Microsoft Security Bulletin: MS05-004
Other Advisory URL: http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754
ISS X-Force ID: 17644
Secunia Advisory ID: 12749
Mail List Post: http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0221.html
http://archives.neohapsis.com/archives/ntbugtraq/2004-q4/0028.html
CVE ID: 2004-0847 (see also: NVD)
Vendor Specific Solution URL: http://www.microsoft.com/downloads/details.aspx?familyid=DA77B852-DFA0-4631-AAF9- ......
Security Tracker: 1011559

Credit

Toby Beaumont - tobycreator.co.uk -

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

ASP.NET

References

Credit