Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Sep 28, 2010

ASP.NET security patch, what's changed

I've snooped around with fiddler to see what changes have been introduced by the patch release today for the ASP.NET framework.

I've seen to notable differences in the behaviour of webresource.axd:

  1. The d parameter is now set to a value much longer than before, it seems it's 50 bytes longer
  2. Tampering with this parameter will not trigger a 500 server error and an entry in the application event log. A regular 404 error is returned to the browser, and nothing is logged in the event log.
My guess is that they have included an integrity check of some kind. Also, they've fixed the problem with error messages distinguishing between the different errors occuring. Now, it's all 404 errors.

Anyhow, it's time to go home from work. Unfortunately, my local time is quite far from PDT. Happy patching!
Posted by at
Labels: ,

4 comments:

Subscribe to: Post Comments (Atom)

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts