Microsoft .NET request filtering bypass vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Microsoft .NET request filtering bypass vulnerability
From: research@xxxxxxxxxxxxxx
Date: 25 Oct 2006 22:11:08 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Applications which fail to provide their own filtering on top of the inbuilt 
.NET request filtering may be vulnerable to XSS attacks.

Provided that a web application solely relies on .NET request filtering before 
echoing input back to the web browser, it is possible to inject scripting code 
and successfully launch XSS attacks by submitting a specially crafted request.

Specific technical details about the payload required to bypass the .NET 
request filtering will be provided by ProCheckUp 
<http://www.procheckup.com> at a later date.


The following combination of client and server environment was successfully 
tested using XSS cookie theft and redirect attacks:

* Microsoft Windows Server 2003 Standard Edition Build 
3790.srv03_sp1_rtm.050324-1447 Service Pack 1
* Microsoft IIS 6.0
* Microsoft ASP .NET Framework Version 2.0.50727.42
* Microsoft Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519
* Microsoft Internet Explorer 7.0.5450.4 Beta 3

Note: the technical details for this advisory are different from BIDs 8562, 
12574 and 20337.

The current version of the advisory can be found on 
http://www.niscc.gov.uk/niscc/docs/br-20061020-00711.html?lang=en

Prev by Date: Hosting Controller 6.1 Hotfix <= 3.2 Vulnerability
Next by Date: TextPattern <=1.19 Remote File Inclusion Vulnerability
Previous by thread: Hosting Controller 6.1 Hotfix <= 3.2 Vulnerability
Next by thread: TextPattern <=1.19 Remote File Inclusion Vulnerability
Index(es):
- Date
- Thread