Join us now!

Username
Password
Verification
	Stay logged in

- OR -

more social login options..

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes

Mark Thread UnreadFlat Reading Mode ❐

LockedASP.NET Security Issue & Workaround

Author Post Essentials Only Full Version
APGvNext (Sam) vNext Dev Total Posts : 12487 Reward points : 218330 Joined: Status: offline (permalink) 3.8 0 ASP.NET Security Issue & Workaround A security issue has been identified in ASP.NET that would allow malicious users to download your web.config file. Please follow the steps below to protect your forum before MS releases a patch to correct it in the .NET core: Check the customErrors section in web.config and make some changes if necessary; Generate Machine Key that uses 3DES instead of AES for encryption, and Encrypt your connection string. Check the customErrors section In the forum's root folder, you should have a web.config file that contains the configuration we have for the forum software. In the file, under system.web, you should find a section named customErrors (unless you delete it, we have it in the package). Please make sure it reads as the following: <customErrors redirectMode="ResponseRewrite" defaultRedirect="~/PGDErrorHandler.aspx" mode="On"> <!--<error statusCode="404" redirect="~/PGDRewrite.aspx"/>--> </customErrors> A few points to note: mode attribute must be set to "On" We have it as Off to help you see errors (if any) easily when you first install the software. We do have a security section in the installation document to ask you to set it to On. If you haven't done so, please make it happen right away. additional attribute: redirectMode This is a new attribute for ASP.NET 3.5 sp1 and later. This will make the error less obvious to hacker. 404 section commented out With the change above, it means we don't handle 404 error (file not found) differently from 500 error (server application error). This is a temporary workaround and you can un-comment the 404 section later once MS fixes this security problem. Generate Machine Key with 3DES for encryption Another security problem found along this one had to do with MS's implementation of the AES encryption, which is used to encrypt FormsAutentication cookie (this affects us) and ViewState (this doesn't affect us as we don't use encrypted ViewState). The problem lies in the core of .NET and for now, we need to change the machineKey section in the web.config to use 3DES (triple DES) instead. By default we don't have a machineKey defined (also under system.web; you need to do so yourself as it has to be unique to your environment). We have a machineKey generator that can generate unique machine key for your particular installation in the AdminCP -> Basic Maintenance. However, we used to generate machine key based on AES (currently vulnerable). Because of this issue, we have released an update (license holder only link) which changes the behavior of the generator to use 3DES instead. Check your machine key and if your current one uses AES, download the patch and generate a new machine key for yourself. If you don't have a machineKey section defined, please generate one as it has numerous benefits to your forum. With the new machineKey in place, the only thing to note is that your users will have to log in again (so do you). Encrypt connectionString in web.config This is not a workaround, but rather, a best practice regardless of ASP.NET's security status. See this post for instruction on encrypting the connection string. post edited by Samuel - vNext: Overview \| Content Publishing \| Community Features \| Online Demo Latest: 4.3 View current software pricing. #1 1 Reply Related Threads
APGvNext (Sam) vNext Dev Total Posts : 12487 Reward points : 218330 Joined: Status: offline Re:ASP.NET Security Issue & Workaround (permalink) 0 MS released a patch (you can get it from Windows Update) for all .NET frameworks affected by the flaw on Sept. 29, and I am happy to report that after testing the security patch on IIS 7 and IIS 6 with the forum, I can confirm that the patch does not break any functionality. What this means is: You can put back the 404 error handler; You can revert to the stronger AES encryption for your machine key. The only thing you will notice is users will need to log on again (previous authentication cookie will be invalidated). vNext: Overview \| Content Publishing \| Community Features \| Online Demo Latest: 4.3 View current software pricing. #2

Author

Post

Essentials Only Full Version

APGvNext (Sam)

vNext Dev

Total Posts : 12487
Reward points : 218330
Joined:
Status: offline

(permalink) 3.8

ASP.NET Security Issue & Workaround

A security issue has been identified in ASP.NET that would allow malicious users to download your web.config file. Please follow the steps below to protect your forum before MS releases a patch to correct it in the .NET core:

Check the customErrors section in web.config and make some changes if necessary;
Generate Machine Key that uses 3DES instead of AES for encryption, and
Encrypt your connection string.

Check the customErrors section

In the forum's root folder, you should have a web.config file that contains the configuration we have for the forum software. In the file, under system.web, you should find a section named customErrors (unless you delete it, we have it in the package).

Please make sure it reads as the following:

        <customErrors redirectMode="ResponseRewrite" defaultRedirect="~/PGDErrorHandler.aspx" mode="On">  
             <!--<error statusCode="404" redirect="~/PGDRewrite.aspx"/>-->  
         </customErrors>

A few points to note:

mode attribute must be set to "On"

We have it as Off to help you see errors (if any) easily when you first install the software. We do have a security section in the installation document to ask you to set it to On. If you haven't done so, please make it happen right away.

additional attribute: redirectMode

This is a new attribute for ASP.NET 3.5 sp1 and later. This will make the error less obvious to hacker.

404 section commented out

With the change above, it means we don't handle 404 error (file not found) differently from 500 error (server application error). This is a temporary workaround and you can un-comment the 404 section later once MS fixes this security problem.

Generate Machine Key with 3DES for encryption

Another security problem found along this one had to do with MS's implementation of the AES encryption, which is used to encrypt FormsAutentication cookie (this affects us) and ViewState (this doesn't affect us as we don't use encrypted ViewState). The problem lies in the core of .NET and for now, we need to change the machineKey section in the web.config to use 3DES (triple DES) instead.

By default we don't have a machineKey defined (also under system.web; you need to do so yourself as it has to be unique to your environment). We have a machineKey generator that can generate unique machine key for your particular installation in the AdminCP -> Basic Maintenance. However, we used to generate machine key based on AES (currently vulnerable). Because of this issue, we have released an update (license holder only link) which changes the behavior of the generator to use 3DES instead.

Check your machine key and if your current one uses AES, download the patch and generate a new machine key for yourself. If you don't have a machineKey section defined, please generate one as it has numerous benefits to your forum.

With the new machineKey in place, the only thing to note is that your users will have to log in again (so do you).

Encrypt connectionString in web.config

This is not a workaround, but rather, a best practice regardless of ASP.NET's security status. See this post for instruction on encrypting the connection string.

post edited by Samuel -

vNext: Overview | Content Publishing | Community Features | Online Demo
Latest: 4.3
View current software pricing.

1 Reply Related Threads

APGvNext (Sam)

vNext Dev

Total Posts : 12487
Reward points : 218330
Joined:
Status: offline

Re:ASP.NET Security Issue & Workaround (permalink)

MS released a patch (you can get it from Windows Update) for all .NET frameworks affected by the flaw on Sept. 29, and I am happy to report that after testing the security patch on IIS 7 and IIS 6 with the forum, I can confirm that the patch does not break any functionality.

What this means is:

You can put back the 404 error handler;
You can revert to the stronger AES encryption for your machine key.

The only thing you will notice is users will need to log on again (previous authentication cookie will be invalidated).

vNext: Overview | Content Publishing | Community Features | Online Demo
Latest: 4.3
View current software pricing.

Jump to: