locked
ASP.NET Denial of Service Vulnerability 2659883 RRS feed

Answers

  • User-158764254 posted

    The content type application/x-www-form-urlencoded is used when doing a standard POST.  So is sometihng that i'd suspect all sites would support unless you've gone out of your way to limit your site to simple GET requests.

    Ultimately, as soon as the Security update is released, I think you would want to look at getting it applied asap.

    [edit]

    this little exerp from the security advisory probably says it most succinctly:

    http://technet.microsoft.com/en-us/security/advisory/2659883

    How do I know if my service is vulnerable?
    Any version of ASP.NET is vulnerable if form submission is enabled using the HTTP POST method, which is the default configuration. Specially crafted HTTP GET requests do not cause the issue. .NET functionality other than ASP.NET, including client-side functionality, is not affected.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 29, 2011 2:29 PM

All replies

  • User-158764254 posted

    A very good place to watch for news on this topic is Scott Gu's blog here:

    http://weblogs.asp.net/scottgu/archive/2011/12/28/asp-net-security-update-shipping-thursday-dec-29th.aspx

    I see a question posted as a comment to his blog that looks like what you're asking - so you've probably already found that blog.

    Note that multipart/form-data is used when your site accepts file uploads.  So if you are accepting file uploads to your site, then we should assume that you have not disallowed that content type.  Keep in mind though that if your site does not offer file upload functionality, it does not mean that the content types noted above have actually been disallowed.  Disallowing those content types would need to be a specific action you would have taken when setting up the site and it appears that disallowing those content types is something that could be done with your firewall.

    Thursday, December 29, 2011 2:08 PM
  • User886227790 posted

    Thanks for the insightful answer.  Does application/x-www-form-urlencoded also apply to file uploads?

    Thursday, December 29, 2011 2:21 PM
  • User-158764254 posted

    The content type application/x-www-form-urlencoded is used when doing a standard POST.  So is sometihng that i'd suspect all sites would support unless you've gone out of your way to limit your site to simple GET requests.

    Ultimately, as soon as the Security update is released, I think you would want to look at getting it applied asap.

    [edit]

    this little exerp from the security advisory probably says it most succinctly:

    http://technet.microsoft.com/en-us/security/advisory/2659883

    How do I know if my service is vulnerable?
    Any version of ASP.NET is vulnerable if form submission is enabled using the HTTP POST method, which is the default configuration. Specially crafted HTTP GET requests do not cause the issue. .NET functionality other than ASP.NET, including client-side functionality, is not affected.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 29, 2011 2:29 PM
  • User-140236332 posted

    @HelloThar Not typically. That is usually for form POSTs.

    Friday, December 30, 2011 1:05 PM