ASP.NET Authentication Vulnerability - Fix
posted on 2004-10-07 at 11:07:08 by Joel Ross
I haven't posted about this, because I haven't had time to read much about it lately, but I finally got the time to look at this, and the fix is pretty simple.
I didn't look at it yet because our project hasn't deployed yet, but I will need to incorporate this into Tourney Logic's software too!
Anyway, I'll give credit to Robert McLaws, since I saw his fix first.
For those who don't like clicking, here's the C# code you need. Just add it to your global.asax file.
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 || System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>
Categories: ASP.NET