# Saturday, 18 September 2010
« Windows Phone 7 developer tools released... | Main | Remix10 at Belgium »

A couple of days ago I became aware of the following article: Security Hack Exposes Forms Authentication in ASP.NET. That never sounds good and Microsoft swiftly crafted a workaround to mitigate the attack. It simply consists of changing your web.config and adding a file with some piece of code in it.

For ASP.NET 1.0 to 3.5 use this adjustment:

<configuration>        
   <system.web>
      <customErrors mode="On" defaultRedirect="~/error.html" />
   </system.web>       
</configuration>

For ASP.NET 3.5SP1 and 4.0 use this adjustment:

<configuration>
   <system.web>
     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
   </system.web>
</configuration>

You’ll also need to put that error.aspx page on your server with the following content:

VB version:

<%@ Page Language="VB" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
    Sub Page_Load()
        Dim delay As Byte() = New Byte(0) {}
        Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
       
        prng.GetBytes(delay)
        Thread.Sleep(CType(delay(0), Integer))
       
        Dim disposable As IDisposable = TryCast(prng, IDisposable)
        If Not disposable Is Nothing Then
            disposable.Dispose()
        End If
    End Sub
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        Sorry - an error occured
    </div>
</body>
</html>

C version:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
       
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>

Grz, Kris.

Saturday, 18 September 2010 13:49:57 (GMT Daylight Time, UTC+01:00)  #    Disclaimer  |  Comments [15]  |