Solved

ValidateRequest filters asp.net pegged as vulnerable by Qualys scan

Posted on 2012-04-02
2
1,695 Views
Last Modified: 2012-06-27
We have an internal Qualys scanner that is pegging an ASP.NET ValidateRequest filters Bypass Cross-Site scripting vulnerability on an Exchange 2003 SP2 OWA box running Windows Server 2003 SP2.  The Qualys report indicates no patch is available for this specific issue, but I was wondering if I needed to update the ASP.NET on the system. ASP.NET is at version 1.1.4322, but I was unsure if it was upgradeable on Windows server 2003 since we have .NET 3.5 SP1 installed.

Anyone have any idea on this particular issue OR on upgrading ASP.NET please feel free to comment. Thanks.
0
Comment
Question by:dumamo
2 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
Comment Utility
sounds like the same problem as described in http://www.experts-exchange.com/Q_27656217.html
except that you use :net 1.x; not sure if a fix will be available for that
if there is no fix, you either need to fix the application, or install a WAF (modsecuity on apache may help)
0
 
LVL 10

Expert Comment

by:pand0ra_usa
Comment Utility
Have you applied KB931832 and KB950159?

If you are not already using URLScan from Microsoft (ISAPI filter) you should look at installing it.

Here is a paper discussing that type of attack (so you have a better understanding of it and some examples you can use to validate if you are vulnerable - don't blindly trust Qualys or any scanner. Verifiy the results):
http://www.procheckup.com/vulnerability_manager/documents/document_1258758664/bypassing-dot-NET-ValidateRequest.pdf

http://technet.microsoft.com/en-us/security/bulletin/ms07-040
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now