BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

ASP.NET Viewstate Padding Information Disclosure

Disclosed September 17, 2010    Fully Patched

Vulnerability Description:

By leveraging a cryptographic weakness within all supported versions of ASP.NET, remote unauthenticated attackers could potentially obtain sensitive information such as session information, site login credentials, and/or read files stored on the vulnerable server such as web.config.

Vendors:

Microsoft

Vulnerable Software/Devices:

ASP.NET 4.0 and prior

Vulnerability Severity:

Medium

Exploit Availability:

N/A

BeyondTrust Prevention and Detection:

  • BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
    • Retina Audit 13470 - Microsoft ASP.NET Viewstate Padding Information Disclosure (Zero-Day)

Mitigation:

Enable ASP.NET custom errors and map all error codes to the same page to prevent attackers from performing attacks against vulnerable servers.

Links:

CVE(s):

None

Leave a Reply