Tuesday, September 21, 2010

Update: 2007/WSS3 is not vulnerable to the attack. No workaround is needed right now, but you still need to apply the fix when it come out

How to validate? Can I type in some non-existing pages to test if web.config changes work on SharePoint?

The answer would be no. When you try to access a non-existing page on a SharePoint site with a modified web.config you will still have 404 codes. But SharePoint has its own custom error handler to generate those 404s for non-existing pages, which will not be able to be used directly by the attack. The workaround will be able to prevent error codes from being generated by accessing certain ASP.Net resources, and it would work if you followed the steps correctly.

Just remember, the ultimate solution is the upcoming ASP.Net fix. This workaround is just temporary, get you protection before the patch is released. Once it’s released, apply the fix and then restore your web.config to the original ones.

Jie

Courtesy: Jie Li's GeekWorld blog.

No comments:

Post a Comment