Sunday, October 10, 2004

Canonicalization ?!?

What is Canonicalization?
Canonicalization is the process by which various equivalent forms of a name can be resolved to a single standard name, or the "canonical" name. For example, on a specific computer, the names c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file. Canonicalization is the process by which such names are mapped to a name that is similar to c:\dir\test.dat.

When a URL is received by a Web server, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content.
ASP.NET Vulnerability :

The issue is that ASP.NET is failing to perform proper canonicalization of some URLs.
it affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003.
An attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This reported vulnerability exists in ASP.NET and does not affect ASP.
To know more about this issue and recommended guidance on best practices visit
What You Should Know About
Reported Vulnerability in Microsoft ASP.NET
http://www.microsoft.com/security/incident/aspnet.mspx

Check this KB article - that provides prescriptive guidance on how to protect against canonicalization issues immediately on their site. This KB will help developers protect themselves on a per application basis. http://support.microsoft.com/?kbid=887459
The vulnerability was first reported on NTBugtraq.

ASP.NET ValidatePath Module :

Microsoft has released an ASP.NET HTTP module that Web site administrators can apply to their Web server. This module will protect all ASP.NET applications against all potential canonicalization problems known to Microsoft.

Microsoft updated the security site with the updated new information and guidance related to the reported ASP.NET security vulnerability.
*** All customers with any ASP.NET deployments, on any operating systems should follow the guidance provided. ***
To ease things up, Microsoft released a new HTTP Module mitigation best practice.
This is in the form of an MSI installer that will help protect all ASP.NET applications on a Web server. This MSI installer will place a binary into the GAC and update the machine.config file for ASP.NET.

* Download information
* Download the MSI directly

You can find the detailed guidance about the HTTP Module, how the MSI works, and how to deploy it etc in this KB Article: http://support.microsoft.com/?kbid=887289

Source : Arun

No comments: