tags:

views:

75

answers:

1
+1  Q: 

Oracle padding security related query

I am still unable to figure out the following which are related to Oracle padding security issue. The no. 1 point is in general which I wanted to know the easy way to change the Machine key. The no. 2 point is related to Security issue.

  1. If I change the machine key then how easily I can change the user passwords stored in the DB. User passwords are also encrypted with same machine key. Changing the key will make passwords to become invalid. Please correct me if I am mistaken.
  2. In webresource.axd?d=..., What is the data type stored in 'd' parameter. How it will allow to download any arbitrary file. I know only that it can allow embedded resources to download. But can someone show an example to download web.config file using webresource.axd. Everybody talks that web.config can be downloaded but I did not find an example of doing that.

I will be glad to know if someone can answer with simple example. Please do not point me to ScotGu blog and after reading his blog and recommendation I do not want to visit his blog again and am surprised to know how he is leading asp.net team.

+1  A: 

Hello Kumar,

I'll try to answer your questions from what I have learned about the issue so far.

  1. User passwords in the DB are not at all related to the machine key of the app. The ASP.NET worker process by default generates a new machine key every time your app is restarted.
    (Thus, if the DB passwords were dependent on the machine key, they would become invalid in every few days.)

  2. About downloading Web.config, we don't really know. Some people think that it is dependent on another security hole. If you use MVC (or WebForms without these), it is the safest if you disable the .axd requests. (Handle *.axd with HttpForbiddenHandler)

For example:

<httpHandlers>
    ...
    <remove verb="*" path="*.axd"/>
    <add validate="false" verb="*" path="*.axd" type="System.Web.HttpForbiddenHandler, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</httpHandlers>

Or do the same in the system.webServer section if you are using IIS 7.

Venemo  2010-09-22 19:54:58
Yikes disabling axd's on a production asp.net site for most people generally is not an option, scriptmanager, 3rd party controls all routinely use WebResource.axd
Chris Marisic  2010-09-23 00:06:02
@Chris - As I said, MVC doesn't use it, so it is a valid option for MVC pages.
Venemo  2010-09-23 00:10:53
1. Since I use static Machine key in web.config and Asp.net membership provider will use that key to encrypt passwords if I store encrypted passwords in DB. Hence changing the Machine key is not as easy as it looks. U cannot encrypt passwords if u use autogenerated key.
kumar  2010-09-23 13:48:37
2. I cannot disable *.axd due to my project design. I need webresource.axd functionality. I am surprised that people talk about that web.config can be downloaded with webresource.axd. I am not asking to disable *.axd but asking how it will download web.config
kumar  2010-09-23 13:50:23
@kumar, if it really works that way, use a custom MembershipProvider. 2. As I said, it relies on another vulnerability. :)
Venemo  2010-09-23 16:00:24
Just ignore my first part of question. I believe that I have to re-encrypt the pwds with new key but before that I have to collect pwd in unencrypted form. But for my second question, I don't understand why nobody is clearly telling me what the another vulnerability is which allows download of web.config file. Do anybody knows what another vulnerability is or u all just saying because others are saying it. Please clarify it. Once I know the vulnerability I can fix it myself rather than waiting for Microsoft to provide the patch.
kumar  2010-09-23 17:33:28
Anyway, I figured out how it will allow download of web.config due to this vulnerability.
kumar  2010-09-24 15:18:18
@kumar - really? Could you please share it with us?
Venemo  2010-09-24 21:50:40

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security