Just reading about this ASP.NET security vurnerability.
Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability
Just reading about this ASP.NET security vurnerability.
Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability
I can not see how can some one attack the WCF Service using the Oracle technique.
Anyway WCF need a good design and take measure about security because by him self there are functions that return data with out any check except if you create this check.
Yes you can be affected.
I am having a hard time understanding the full details of this attack, but it is a fundamental problem with ASP.Net and anything that runs on it is affected.
If someone can reach your server, they can send an invalid request, get the error page and proceed with the attack.
Other people have specifically asked about services and it was mentioned that they are affected.
FYI, a patch for this bug has been released on Windows Update.
http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx