SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   ASP.NET Vendors:   Microsoft
Microsoft ASP.NET May Disclose System Information to Remote Users in Certain Cases
SecurityTracker Alert ID:  1013996
SecurityTracker URL:  http://securitytracker.com/id/1013996
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 22 2005
Original Entry Date:  May 18 2005
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.1
Description:   Shreeraj Shah of Net Square Solutions reported a vulnerability in Microsoft ASP.NET web services. A remote user may be able to determine the system path or internal SQL data in certain cases where exceptions are not properly handled.

In the event of a file error, the FileStream method may return an error message faultstring that contains the full path to the requested file, even if an absolute path was requested. If the ASP.NET application does not filter the error message, the path may be disclosed to remote users.

In the event of an SQL query error, the server may return an error message faultstring that contains information about the database structure. If the ASP.NET application does not filter the error message, the information may be disclosed to remote users.

The original advisory is available at:

http://net-square.com/advisory/NS-051805-ASPNET.pdf

Impact:   A remote user may be able to determine the system path or internal SQL data in certain cases.
Solution:   Source code developers can follow secure programming practices and implementing exception handling mechanisms to properly catch and filter the error exceptions.

To prevent or reduce information leakage, the vendor plans to include a fix in the next release or service pack.

The vendor has addressed this topic in a description of security considerations for ASP.NET web applications, available at:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtskdisplayingsafeerrormessages.asp

Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested on Windows 2000

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC