Important: ASP.NET Security Vulnerability
page 8 of 11
by Scott Guthrie
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 42426/ 164

How to Find Vulnerable ASP.NET Applications on Your Web Server

We have published a .vbs script that you can save and run on your web-server to determine if there are ASP.NET applications installed on it that either have <customErrors> turned off, or which differentiate error messages depending on status codes.

You can download the .vbs script here.  Simply copy/paste the script into a text file called “DetectCustomErrors.vbs” and save it to disk.  Then launch a command window that is elevated as admin and run “cscript DetectCustomErrors.vbs” to run it against your local web-server.  It will enumerate all of the applications within your web server and verify that the correct <customErrors> configuration has been specified.

It will flag any application where it finds that an application’s web.config file doesn’t have the <customErrors> section (in which case you need to add it), or doesn’t have it set correctly to workaround this attack (in which case you need to update it).  It will print “ok” for each application web.config file it finds that is fine.  This should hopefully make it easier to locate issues.

Note: We have developed this detection script over the last few hours, and will be refining it further in the future.  I will post an update in this section each time we make a change to it.

How to Find More Information about this Vulnerability

You can learn more about this vulnerability from:

Microsoft Security Advisory 2416728

Understanding the ASP.NET Vulnerability

Microsoft Security Response Center Blog Post

View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2021  |  Page Processed at 2021-12-08 10:16:54 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search