Tuesday, September 21, 2010

Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.: "

We recently released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This post explains the impact on SharePoint and documents a recommended workaround.

This vulnerability affects Microsoft SharePoint 2010 and Microsoft SharePoint Foundation 2010. The vulnerability is in ASP.NET.

We recommend that all SharePoint 2010 customers apply the workaround as soon as possible. This post will be updated with any new information.

The workaround for SharePoint 2010 is slightly different from the one documented in the advisory. For SharePoint 2010, you should follow the instructions below on every web front-end in your SharePoint farm:

  1. Browse to the SharePoint installation directory at %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\14\template\layouts.
  2. Create a new file called error2.aspx in this directory with the following content:

    <%@ Page Language="C#" AutoEventWireup="true" %>
    <%@ Import Namespace="System.Security.Cryptography" %>
    <%@ Import Namespace="System.Threading" %>

    <script runat="server">
    void Page_Load() {
    byte[] delay = new byte[1];
    RandomNumberGenerator prng = new RNGCryptoServiceProvider();

    prng.GetBytes(delay);
    Thread.Sleep((int)delay[0]);

    IDisposable disposable = prng as IDisposable;
    if (disposable != null) { disposable.Dispose(); }
    }
    </script>

    <html>
    <head runat="server">
    <title>Error</title>
    </head>
    <body>
    <div>
    An error occurred while processing your request.
    </div>
    </body>
    </html>
  3. Navigate to %SystemDrive%\inetpub\wwwroot\wss\virtualdirectories.
  4. For each subfolder in this directory, do the following:

    1. Edit web.config


    2. Find the customErrors node and change it to;
      <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/_layouts/error2.aspx" /> 

    3. Save your changes


    4. Run iisreset /noforce

For more information:

Microsoft Security Advisory (2416728) - Vulnerability in ASP.NET Could Allow Information Disclosure

Security Advisory 2416728 Released – Microsoft Security Response Center Blog
Understanding the ASP.NET Vulnerability – Microsoft Security Research & Defense Blog

Important: ASP.NET Security Vulnerability – Scott Guthrie’s Blog

Frequently Asked Questions about the ASP.NET Security Vulnerability – Scott Guthrie’s Blog

Post a Comment