Microsoft released a Microsoft Security Advisory last weekend about a security vulnerability in ASP.NET concerning all versions of ASP.NET. Microsoft recommends to apply a workaround immediately to prevent against attacks. Here you can find the officially released advisory: http://www.microsoft.com/technet/security/advisory/2416728.mspx. Please note that MS has not released a patch yet, so it's strongly recommended to apply a workaround as described in Scott Guthries Blog.
UPDATE (I) FOR ALL CONTENTXXL CMS HOSTING PROVIDERS:
As contentXXL is based upon ASP.NET this vulnerability also affects your contentXXL installations. Because there's already a default "error.aspx"-page in contentXXL you have to create your own error page:
1) Insert the following "DefaultErrorPage.aspx" into your contentXXL root folder:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
An error occurred while processing your request.
</div>
</body>
</html>
|
2) change the element <customErrors> in your web.config file as following:
|
1
2
|
<customErrors mode="On" redirectMode="ResponseRewrite"
defaultRedirect="~/DefaultErrorPage.aspx"/>
|
UPDATE (II) FOR ALL CONTENTXXL CMS HOSTING PROVIDERS:
Microsoft has now (2010-09-28) released an out-of-the band patch for all versions of the .NET framework. Please check Scott Gu's blog for further details and FAQs: http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx After updating your webservers the above described workaround isn't required anymore.