locked
Does the Authentication method matter? RRS feed

  • Question

  • User178622821 posted

    If a site uses Windows Authentication (Basic or Integrated), as opposed to Forms Authentication, is it still vulnerable?  Or does this only affect sites that use Forms Authentication?

    Saturday, September 18, 2010 10:53 AM

Answers

  • User-619846739 posted

    Windows auth isn't affected, so you're good there, but if someone gets to the rest of your site, they may be able to access connection strings or passwords that will allow them to elevate their privledges and gain more access through each iteration, like in the attached video.

    It seems the case for me too that the cipher text is needed.  That's readily available though. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, September 18, 2010 11:37 AM
  • User178622821 posted

    FYI, I posted the same question on Scott Guthrie's blog.  Here's his response:



    # re: Important: ASP.NET Security Vulnerability
    Saturday, September 18, 2010 10:10 PM by ScottGu

    @Jim,

    >>>>>>>> If a site is using Windows authentication (Basic or Integrated), as opposed to Forms Authentication, is it still vulnerable?

    Yes.  The attack that was covered at a security conference yesterday did not use either Forms Authentication or ViewState as the attack vector.

    Even if you use Windows Authentication you should apply the workaround.  Once a patch to fix the vulnerability is available then the workaround will no longer be required.

    Hope this helps,

    Scott

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, September 19, 2010 7:57 AM

All replies

  • User178622821 posted

    Also, in the demonstration against DNN here: http://www.youtube.com/watch?v=yghiC_U2RaM, it looks like an attacker needs a "cipher text" to crack the encryption key.  If a site does not expose any cipher text, is it still vulnerable?  My understanding is requests for embedded resources, such as ajax scripts, expose these in references to ScriptResources or WebResources in the page source...

    Saturday, September 18, 2010 11:14 AM
  • User-619846739 posted

    Windows auth isn't affected, so you're good there, but if someone gets to the rest of your site, they may be able to access connection strings or passwords that will allow them to elevate their privledges and gain more access through each iteration, like in the attached video.

    It seems the case for me too that the cipher text is needed.  That's readily available though. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, September 18, 2010 11:37 AM
  • User178622821 posted

    FYI, I posted the same question on Scott Guthrie's blog.  Here's his response:



    # re: Important: ASP.NET Security Vulnerability
    Saturday, September 18, 2010 10:10 PM by ScottGu

    @Jim,

    >>>>>>>> If a site is using Windows authentication (Basic or Integrated), as opposed to Forms Authentication, is it still vulnerable?

    Yes.  The attack that was covered at a security conference yesterday did not use either Forms Authentication or ViewState as the attack vector.

    Even if you use Windows Authentication you should apply the workaround.  Once a patch to fix the vulnerability is available then the workaround will no longer be required.

    Hope this helps,

    Scott

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, September 19, 2010 7:57 AM