Skip Ribbon Commands
Skip to main content

:

Kris Wagner's SharePoint Blog > Posts > Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint
September 20
Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint

From - Microsoft SharePoint Team Blog

http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx 

The official blog of the Microsoft SharePoint Product Group

Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

MSDN Blogs > Microsoft SharePoint Team Blog > Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

We recently released a Microsoft Security Advisory about a security vulnerability in ASP.NET.  This post explains the impact on SharePoint and documents a recommended workaround.

This vulnerability affects Microsoft SharePoint 2010 and Microsoft SharePoint Foundation 2010.  The vulnerability is in ASP.NET.

We recommend that all SharePoint 2010 customers apply the workaround as soon as possible.  This post will be updated with any new information.

The workaround for SharePoint 2010 is slightly different from the one documented in the advisory.  For SharePoint 2010, you should follow the instructions below on every web front-end in your SharePoint farm:

  1. Browse to the SharePoint installation directory at %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\14\template\layouts.
  2. Create a new file called error2.aspx in this directory with the following content:
    <%@ Page Language="C#" AutoEventWireup="true" %>
    <%@ Import Namespace="System.Security.Cryptography" %>
    <%@ Import Namespace="System.Threading" %>
    
    <script runat="server">
       void Page_Load() {
          byte[] delay = new byte[1];
          RandomNumberGenerator prng = new RNGCryptoServiceProvider();
    
          prng.GetBytes(delay);
          Thread.Sleep((int)delay[0]);
            
          IDisposable disposable = prng as IDisposable;
          if (disposable != null) { disposable.Dispose(); }
        }
    </script>
    
    <html>
    <head runat="server">
        <title>Error</title>
    </head>
    <body>
        <div>
            An error occurred while processing your request.
        </div>
    </body>
    </html>
  3. Navigate to %SystemDrive%\inetpub\wwwroot\wss\virtualdirectories.
  4. For each subfolder in this directory, do the following:
    1. Edit web.config
    2. Find the customErrors node and change it to; 
      <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/_layouts/error2.aspx" /> 
    3. Save your changes
    4. Run iisreset /noforce

The impact of this workaround: SharePoint 2010 will return the same generic error message to web clients regardless of the error that actually occurs.

For more information:

Microsoft Security Advisory (2416728) - Vulnerability in ASP.NET Could Allow Information Disclosure

Security Advisory 2416728 Released – Microsoft Security Response Center Blog

Understanding the ASP.NET Vulnerability – Microsoft Security Research & Defense Blog

Important: ASP.NET Security Vulnerability – Scott Guthrie’s Blog

Frequently Asked Questions about the ASP.NET Security Vulnerability – Scott Guthrie’s Blog

Comments

There are no comments for this post.

Copyright KrisWagner.com (@sharepointkris) |   Branding: @hwaterman