ASP.NET 表单验证漏洞

原创 2004年10月14日 15:38:00

What You Should Know About a Reported Vulnerability in Microsoft ASP.NET

Published: October 5, 2004 | Updated: October 7, 2004

Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET. Reports have indicated that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Our initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components.

Microsoft strongly advises, as a preventative measure, that all Web content owners and administrators who are running any version of ASP.NET immediately read and implement one of the suggestions made in the Microsoft Knowledge Base articles listed on this page.

Note  This page was updated October 7, 2004, to include information about a newly released mitigation option, an HTTP module installer. This module protects all ASP.NET applications on a Web server against canonicalization problems that are currently known to Microsoft as of the publication date. We will continue to update this page as additional guidance and resources become available.

Guidance for Web Site Administrators

Microsoft has released an HTTP module that Web site administrators can apply to their Web server that will protect all ASP.NET applications on the server against URL canonicalization problems known to Microsoft as of the publication date. This module, as well as detailed guidance and deployment information, is available from the Microsoft Download Center.

For additional guidance on how to install and deploy this module to help protect your servers, see Microsoft Knowledge Base Article 887289, "HTTP Module to Check for Canonicalization Issues with ASP.NET"

Guidance for ASP.NET Developers

Note  If you install the HTTP module, this guidance is not necessary.

Microsoft recommends that Web site owners and developers implement the suggestions made in Microsoft Knowledge Base Article 887459, Programmatically Check for Canonicalization Issues with ASP.NET to mitigate this issue. Applying the article's guidance to your ASP.NET application will protect the application against URL canonicalization problems known to Microsoft as of the publication date.

In addition to this guidance, which will help protect customers against this type of security issue, Microsoft is working to provide a security update to ASP.NET that will provide additional protection for customers. We will release the update once it has reached an appropriate level of quality for deployment.

Technical Assistance

If you believe you are affected by this potential issue, contact Microsoft Product Support Services for assistance.

  • For no-charge security update and virus-related support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).
  • For worldwide support, contact your local Microsoft office.

Develop a Security Strategy

Get the prescriptive technical guidance, tools, training, and updates you need to plan and manage a security strategy that is right for your organization.


在表单提交的时候,经常需要对录入信息的长度、格式、内容等进行验证,以便获得合理的信息。在ASP.NET开发中主要的验证方法,总结了一下,主要有一下几种。 1、使用验证控件  这属于客户端验证,...
  • wangboxian
  • wangboxian
  • 2013年06月14日 09:37
  • 4316


这篇文章引用到了Microsoft .NET类库中的以下名空间:System.Data.SqlClientSystem.Web.Security----------------------------...
  • 21aspnet
  • 21aspnet
  • 2007年03月24日 12:18
  • 1968

ASP.NET MVC 表单验证方式总结

一、绑定参数的表单验证:(通过ValidationAttribute特性绑定到Model来验证) 1.引入js文件: jquery的某个版本 jquery.validate.js jquery.val...
  • zhulongxi
  • zhulongxi
  • 2016年05月07日 10:43
  • 4893


       Q&A       Q:为什么写这篇文章?       A:那天在群里聊,有个叫lis0的家伙叫我写的……    这个漏洞是半年前的事了,很老了吧,可是我现在才研究了一下,没办法,谁叫我...
  • lake2
  • lake2
  • 2004年12月31日 09:23
  • 3362


Asp.net为我们提供了六个验证验证控件及其要起作用必须设置的属性:(1)     RequiredFieldValidator:该控件要求其绑定的输入控件一定要有输入值,不能为空;属性:Contr...
  • hongdi
  • hongdi
  • 2010年02月04日 00:24
  • 2131

ASP.NET 表单验证实现浅析

对于Web应用的表单身份验证,因为公司有一个类库,采用 Session 实现,所以一直都没有去仔细了解。其实我并不赞成在 .NET 中用 Session 实现身份验证,毕竟 .NET 提供了一个强大的...
  • orain
  • orain
  • 2008年11月12日 10:20
  • 7215

表单验证ASP.NET RequiredFieldValidator 控件使用方法及使用实例

ASP.NET RequiredFieldValidator 控件 定义和用法 RequiredFieldValidator 控件用于使输入控件成为一个必选字段。 通过该控件,如果输入值的初...
  • qq_25409579
  • qq_25409579
  • 2016年02月18日 14:04
  • 2044

MS10-070 ASP.NET Padding Oracle信息泄露漏洞项目测试

MS10-070 ASP.NET Padding Oracle信息泄露漏洞1         漏洞描述:ASP.NET由于加密填充验证过程中处理错误不当,导致存在一个信息披露漏洞。成功利用此漏洞的攻击...
  • h4ck0ne
  • h4ck0ne
  • 2016年01月23日 17:49
  • 1576 javascript表单验证简单范例

 @ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="_Default" %>DOCTY...
  • JustLovePro
  • JustLovePro
  • 2007年07月27日 00:08
  • 1495


  • TQY2008
  • TQY2008
  • 2008年09月17日 13:16
  • 1162
您举报文章:ASP.NET 表单验证漏洞