Security Vulnerability in ASP .Net — Padding Oracle Attack

All editions of ASP .Net (1.0 – 4.0) are vulnerable to the “Padding Oracle” crypto attack. Scott Guthrie has a good post about it here.  Microsoft has acknowledged the attack and is offering a work around.  There is also a post on Microsoft’s Security Research and Defense blog here.  Microsoft’s official response shows that they aren’t too happy that the hacker decided to publicly disclose the attack without telling them about it first:

We continue to encourage security researchers to coordinate vulnerability disclosure with software vendors. We believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity.

An actual demostration of the attack on a DotNetNuke installation to become the “SuperUser” took less than five minutes…

DotNetNuke has published their response here.

I’ll be keeping up with this over the weekend.  So come back to find out more.  I haven’t seen any attacks yet… but that will be when it get interesting….


About Leonard Woody
Software Engineer

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: