ASP.NET中发现了一个可能导致信息泄漏的漏洞,影响了所有版本的ASP.NET,请注意做好保护措施。详细请参考http://www.microsoft.com/technet/security/advisory/2416728.mspx。
该漏洞目前已有更新补丁,请通过http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx下载更新或使用Windows Update更新。
以下信息是未发布补丁前的临时做法
对于.NET Framework 3.5或之前版本
1. 启用ASP.NET custom errors,并将所有错误代码指向同一个错误页面。
2. (A)如果该ASP.NET应用程序没有web.config文件,则在根目录新建一个,并写入下面的内容
2 < location allowOverride ="false" >
3 < system.web >
4 < customErrors mode ="On" defaultRedirect ="~/error.html" />
5 </ system.web >
6 </ location >
7 </ configuration >
(B)如果已经存在web.config文件,则插入下面内容
2 < customErrors mode ="On" defaultRedirect ="~/error.html" />
3 </ system.web >
3. 创建一个名为error.html的文件,它可以包含静态的错误提示信息,但不能包含动态内容。
对于.NET 3.5 Framework SP1或之后版本
1. 启用ASP.NET custom errors,并将所有错误代码指向同一个错误页面。
2. (A)如果该ASP.NET应用程序没有web.config文件,则在根目录新建一个,并写入下面的内容
2 < location allowOverride ="false" >
3 < system.web >
4 < customErrors mode ="On" redirectMode ="ResponseRewrite" defaultRedirect ="~/ErrorPage.aspx" />
5 </ system.web >
6 </ location >
7 </ configuration >
(B) 如果已经存在web.config文件,则插入下面内容
2 < customErrors mode ="On" redirectMode ="ResponseRewrite" defaultRedirect ="~/ErrorPage.aspx" />
3 </ system.web >
3. 创建ErrorPage.aspx文件,并写入以下内容
C#
2 <% @ Import Namespace = " System.Security.Cryptography " %>
3 <% @ Import Namespace = " System.Threading " %>
4
5 < script runat = " server " >
6 void Page_Load() {
7 byte [] delay = new byte [ 1 ];
8 RandomNumberGenerator prng = new RNGCryptoServiceProvider();
9
10 prng.GetBytes(delay);
11 Thread.Sleep(( int )delay[ 0 ]);
12
13 IDisposable disposable = prng as IDisposable;
14 if (disposable != null ) { disposable.Dispose(); }
15 }
16 </ script >
17
18 <! DOCTYPE html PUBLIC " -//W3C//DTD XHTML 1.0 Transitional//EN " " http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd " >
19
20 < html xmlns = " http://www.w3.org/1999/xhtml " >
21 < head runat = " server " >
22 < title ></ title >
23 </ head >
24 < body >
25 < div >
26 An error occurred while processing your request.
27 </ div >
28 </ body >
29 </ html >
VB:
2 < %@ Import Namespace = " System.Security.Cryptography " % >
3 < %@ Import Namespace = " System.Threading " % >
4
5 < script runat = " server " >
6 Sub Page_Load()
7 Dim delay As Byte () = New Byte ( 0 ) {}
8 Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
9
10 prng.GetBytes(delay)
11 Thread.Sleep( CType (delay( 0 ), Integer ))
12
13 Dim disposable As IDisposable = TryCast(prng, IDisposable)
14 If Not disposable Is Nothing Then
15 disposable.Dispose()
16 End If
17 End Sub
18 </ script >
19
20 < !DOCTYPE html PUBLIC " -//W3C//DTD XHTML 1.0 Transitional//EN " " http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd " >
21
22 < html xmlns = " http://www.w3.org/1999/xhtml " >
23 < head runat = " server " >
24 < title ></ title >
25 </ head >
26 < body >
27 < div >
28 An error occurred while processing your request.
29 </ div >
30 </ body >
31 </ html >