ASP.NET Security Vulnerability and What To Do About It

Frank Cheung

14 years ago

Microsoft announced a serious security vulnerability in ASP.NET that allows an attacker to gain unauthorized access to files within your web site, including the web.config file which can contain sensitive information such as database login.

You can review the technical details of this vulnerability on Scott Guthrie’s blog:

Since Microsoft has not released a patch for this problem, we recommend that our customers do the following:

Update your web application with the workaround recommended in the above posts and enable <customErrors>
Encrypt your web.config file as recommended by Scott Guthrie for best practices in this FAQ. We describe how to encrypt your web.config file in this Knowledge Base article.

Microsoft has also created a forum on the ASP.net site to field questions about this security vulnerability.

Frank Cheung
CTO

Add Frank Cheung to your Google+ circles.
Visit DiscountASP.NET to learn more about our ASP.NET hosting services.