Microsoft ASP.NET ValidateRequest Filters Bypass Cross-Site Scripting Vulnerability

Hi Folks,
I have a client with a potential vulnerability discovered from a recent network scan and I cannot find a way to mitigate it for them. They are running a website on a Windows 2003 sp2 Server, fully up to date including .net framework 4. I still get this vulnerability though. Does anyone have a simplistic solution for it as we are not developers?




Microsoft ASP.NET ValidateRequest Filters Bypass Cross-Site Scripting Vulnerability

port 443/tcp




 QID:90780Category:WindowsCVE ID:CVE-2008-3842 CVE-2008-3843 Vendor Reference-Bugtraq ID:-Service Modified:10/01/2012User Modified:-Edited:NoPCI Vuln:YesTHREAT:ASP.NET is a Web application framework developed by Microsoft. validateRequest filters, is a feature of ASP.NET which prevents the server from accepting content containing un-encoded HTML. This feature is designed to help prevent some script-injection attacks whereby client script code or HTML can be unknowingly submitted to a server, stored, and then presented to other users.
 Microsoft ASP.NET validateRequest filters could allow a remote attacker to bypass it's filters and conduct cross-site scripting attacks using a less-than slash (</) and less-than tilde slash (<~/) sequence. These vulnerabilities are described in CVE-2008-3842 and CVE-2008-3843.
 
This QID does not actively check for the XSS in the web application but relies on the ASP.NET banner version. For confirming the vulnerability please run a web application scan.
 Affected Versions:
 Microsoft ASP.NET CLR version 1.1.4322.2407 and 2.0.50727 which is used in ASP.NET version 1.0 through 3.5 is affected.

For a detailed description of CLR versions and ASP.NET version please refer to .NET framework

IMPACT:Attackers can potentially launch XSS attacks against vulnerable applications that solely rely on ASP .NET ValidateRequest filters. This type of attack can result in defacement of the target site, or the redirection of confidential information (i.e.: session IDs or passwords) to unauthorised third parties.

SOLUTION:The issue described in CVE-2008-3842 is fixed by the MS07-040 update. There are no patches available for CVE-2008-3843. The vulnerability can be mitigated by not relying on the ValidateRequest filters delivered with ASP.NET, using custom input filters and secure coding practices.
 Please update to the latest .Net framework .NET framework

COMPLIANCE:Not ApplicableEXPLOITABILITY:There is no exploitability information for this vulnerability.

ASSOCIATED MALWARE:There is no malware information for this vulnerability.

RESULTS:QID: 90780 detected on port 443 over TCP.
X-AspNet-Version: 2.0.50727
mrosierAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alexandre SimõesManager / Technology SpecialistCommented:
Well, apparently what you have is a flag set on you website, either in the master page or in a specific page that forces the bypass for XSS.

Search for this: ValidateRequest="false"

The problem is that the website might actually need this to work in some parts.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrosierAuthor Commented:
thanks so much! I will see with the application vendor if that can be altered or something to eliminate. Thanks!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.