![asp.net4.7漏洞](https://i-blog.csdnimg.cn/blog_migrate/1d0599fe08119dc57bb9ea3cec5f0def.png)
asp.net4.7漏洞
This has been blogged about over and over. This is another case where if you had UrlScan or any decent security url filter installed on your box, you'd be fine. Certainly it's a problem in ASP.NET, and Microsoft has an HttpModule to fix it. This means you can install this once and get the fix on all your systems, rather than adding it in the BeginRequest of the Global.asax.cs.
这是关于一遍又一遍的博客。 这是另一种情况,如果您的包装盒上安装了UrlScan或任何不错的安全URL过滤器,则可以。 当然,这是ASP.NET中的问题,并且Microsoft有一个HttpModule对其进行修复。 这意味着您可以安装一次并在所有系统上获得此修复程序,而不是将其添加到Global.asax.cs的BeginRequest中。
One interesting note, if you're confirming the user's Security Principal and Identity (WindowsPrincipal, FormsIdentity) via code, or are using a custom Principal (as I do as a best practice) your code will catch this problem even if ASP.NET Form's Authentication's AuthorizationModule didn't.
一个有趣的注意事项是,如果您通过代码确认用户的安全主体和身份(WindowsPrincipal,FormsIdentity),或者正在使用自定义主体(按照我的最佳做法),即使ASP.NET Form的代码也能解决此问题身份验证的AuthorizationModule没有。
1) Updated http://www.microsoft.com/security/incident/aspnet.mspx with new information about the reported vulnerability. This should help clear up some of the confusion we've seen about what is affected by this. To be super clear, all ASP.NET applications, on ALL OS's should follow the guidance provided.
1)使用有关报告的漏洞的新信息更新了http://www.microsoft.com/security/incident/aspnet.mspx 。 这应该有助于消除我们所看到的关于受此影响的一些困惑。 要非常清楚,所有操作系统上的所有ASP.NET应用程序都应遵循提供的指导。
2) A new HTTP Module mitigation best practice. This is in the form of an MSI installer that will help protect all ASP.NET applications on a Web server. This MSI installer will place a binary into the GAC and update the machine.config file for ASP.NET. You can find download information at http://www.microsoft.com/downloads/details.aspx?FamilyID=da77b852-dfa0-4631-aaf9-8bcc6c743026&displaylang=en
2)一种新的HTTP模块缓解最佳实践。 这是MSI安装程序的形式,它将帮助保护Web服务器上的所有ASP.NET应用程序。 该MSI安装程序会将二进制文件放入GAC,并更新ASP.NET的machine.config文件。 您可以在http://www.microsoft.com/downloads/details.aspx?FamilyID=da77b852-dfa0-4631-aaf9-8bcc6c743026&displaylang=en上找到下载信息。
You can also download the MSI directly at http://download.microsoft.com/download/4/6/1/461433d5-cbac-4721-85cb-c5a514fd0049/VPModule.msi
您也可以直接从http://download.microsoft.com/download/4/6/1/461433d5-cbac-4721-85cb-c5a514fd0049/VPModule.msi下载MSI。
3) Detailed guidance about the HTTP Module, how the MSI works, and how to deploy it. You can find this KB Article at http://support.microsoft.com/?kbid=887289
3)有关HTTP模块,MSI如何工作以及如何部署的详细指南。 您可以在http://support.microsoft.com/?kbid=887289中找到此知识库文章。
翻译自: https://www.hanselman.com/blog/aspnet-security-vulnerability
asp.net4.7漏洞