Saturday, September 18, 2010

ASP.NET Security Vulnerability

A few hours ago Microsoft released a Microsoft Security Advisory about a security vulnerability in ASP.NET.  This vulnerability exists in all versions of ASP.NET.

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

More information about the issue and a workaround can be found on Scott Guthrie’s blog.

No comments: