Should I be concerned?

http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx
Should I be concerned about this vulnerability if I don’t store any sensitive information in my viewstate?

“Yes you should.  There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file.  You should apply the workaround to block the padding oracle attack in its initial stage of the attack.  The security update will fix this vulnerability.”

========
I know, I know…. Geeze shut up Susan and patch already if you are that worried about this.

Sorry but I want to understand here.

Yoda has config info in some of his config files up on the server.  You open them up in notepad and bingo, there’s the authentication information for stuff on the server.  (Guess I shouldn’t admit that huh?)  But he’s been patched already.

So I haven’t looked at EVERY web config file on the SBS 2008 or SBS 2003 mind you, but of the ones I browsed through, I’m not seeing anything sensitive.  Both RWW on sbs 2003 and sbs 2008 (and obviously Home server) uses Viewstate…but…. passwords aren’t saved.

As others have said, the Microsoft guidance too often focuses on the patch and not the risk of the patching. 

More discussion here to explode your brain tonight – http://www.troyhunt..com/2010/09/fear-uncertainty-and-and-padding-oracle.html

Comments are closed.

Post Navigation