SharePoint
Microsoft SharePoint Team Blog
Search
SharePoint Home  |   RSS

The official blog of the Microsoft SharePoint Product Group
2010
October 26
Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.
by   System Account   on  10/26/2010 1:23 AM

** Updated 9/27/2010 7:20PM ** – Updated with Out of Band Security Update announcement details.
** Updated 9/24/2010 4:30PM ** – Updated with additional defensive workaround published by the ASP.NET team valid for ALL affected versions of SharePoint listed below.
** Updated 9/22/2010 10:40AM ** – Updated verification step for SharePoint Server 2007 and Windows SharePoint Services 3.0 and added an exception in the workaround for Windows SharePoint Services 2.0 running under ASP.NET 1.1.
** Updated 9/21/2010 11:05PM ** – Updated with workaround for SharePoint Server 2007 and Windows SharePoint Services 3.0 and updated SharePoint 2010 workaround.
** Updated 9/21/2010 3:06PM ** – Included details for previous releases and workaround for WSS 2.0.

Update: Out of Band Release to address Microsoft Security Advisory 2416728 announcement.  See this post for details.

Update: Please note the additional workaround published 9/24/2010 4:40PM.  The original security advisory has been updated this afternoon to include additional defensive measures (Installing and enabling UrlScan or configuring IIS request filtering).  Please read the workarounds section of the security advisory and the update posted here for full details.  This extra step is applicable for ALL versions of SharePoint affected by this issue.

Update: Please note the important change from the 9/21/2010 3:06PM update to this blog post.  We originally stated that SharePoint Server 2007 and Windows SharePoint Services 3.0 did not require the workaround to be applied, however, we have recently discovered through testing that a variant of the issue does affect SharePoint Server 2007 and Windows SharePoint Services 3.0 and also requires extra steps in the workaround for SharePoint Server 2010 (Steps 5-9).  Customers with these versions should refer to the relevant workaround below.  We will continue to keep this post updated with the latest guidance.

We recently released a Microsoft Security Advisory for a vulnerability affecting ASP.NET.  This post documents recommended workarounds for the following SharePoint products:

  • SharePoint 2010
  • SharePoint Foundation 2010
  • Microsoft Office SharePoint Server 2007
  • Windows SharePoint Services 3.0
  • Windows SharePoint Services 2.0

A workaround is not necessary for SharePoint Portal Server 2003. 

The workarounds for the affected versions of SharePoint and Windows SharePoint Services listed above are temporary measures that do not fix the underlying issue but help to block known attack vectors until an ASP.NET security update is released.  We will provide instructions on how to revert the workarounds when the security update is released.

We recommend that all affected SharePoint customers apply the workaround as soon as possible.  You should apply the workaround to every web front-end in your SharePoint farm.

Workaround for SharePoint 2010 & SharePoint Foundation 2010

  1. Navigate to the SharePoint installation directory at %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\14\template\layouts.
  2. Create a new file called error2.aspx in this directory with the following content: 
    <%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
        
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>
  3. Navigate to %SystemDrive%\inetpub\wwwroot\wss\virtualdirectories.
  4. For each subfolder in this directory, do the following:
    1. Edit web.config
    2. Find the customErrors node and change it to; 
      <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/_layouts/error2.aspx" />
    3. Save your changes
  5. Navigate to %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\14\isapi.
  6. Make a copy of the web.config file at this location and rename it to web_backup.config
    1. Important: if you skip this step, the workaround may affect your ability to apply patches to your SharePoint installation at a later date
  7. Edit web.config and add the following lines immediately following the <configuration> node, before <system.web>: 
    <system.webServer>
    <handlers>
        <remove name="AssemblyResourceLoader-Integrated-4.0" />
        <remove name="AssemblyResourceLoader-Integrated" />
    </handlers>
</system.webServer>
  8. Save your changes
  9. Run iisreset /noforce

Verifying the workaround:  After applying the workaround, you may not see a change in SharePoint’s error handling behavior.  For example, you will still receive a 404 error if you try to access a page that does not exist – this is unique to the SharePoint workaround and is different from the expected behavior described here. This is by design — the workaround described here specifically protects against the ASP.NET vulnerability in error cases that are not handled by SharePoint.

Workaround for Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0

  1. Navigate to the SharePoint installation directory at %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\isapi.
  2. Make a copy of the web.config file at this location and rename it to web_backup.config
    1. Important: if you skip this step, the workaround may affect your ability to apply patches to your SharePoint installation at a later date.
  3. Edit web.config and add an httpHandlers section as shown: 
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<configuration>
    <system.web>
        <webServices>
            <protocols>
                <remove name="HttpGet" />
                <remove name="HttpPost" />
                <remove name="HttpPostLocalhost" />
                <add name="Documentation" />
            </protocols>
        </webServices>
        <customErrors mode="On" />
      <httpHandlers>   
         <remove path="WebResource.axd" verb="GET"/>    
      </httpHandlers> 
    </system.web>
    <location path="authentication.asmx">
        <system.web>
            <authorization>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    <location path="wsdisco.aspx">
        <system.web>
            <authorization>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    <location path="wswsdl.aspx">
        <system.web>
            <authorization>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location> 
</configuration>
  4. Save your changes
  5. Run iisreset /noforce

Verifying the workaround: Browse to http://servername/_vti_bin/webresource.axd.  In both cases (with and without the workaround), SharePoint will handle the error and redirect you to /_layouts/error.aspx.  This page takes a query parameter (ErrorText) with a more detailed description of the error that occurred.

After applying the workaround, ErrorText will always say “Path /_vti_bin/webresource.axd was not found”.

Workaround for Windows SharePoint Services 2.0

Only apply this workaround for sites that run under ASP.NET 2.0.  Sites running under ASP.NET 1.1 are not affected and do not need a workaround.

  1. Navigate to the SharePoint installation directory at %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\60\template\layouts.
  2. Create a new file called error.aspx in this directory with the following content: 
    <%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
        
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>
  3. Navigate to %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\60\isapi.
  4. Make a copy of the web.config file at this location and rename it to web_backup.config
    1. Important: if you skip this step, the workaround may affect your ability to apply patches to your SharePoint installation at a later date
  5. Edit web.config and add an httpHandlers section as shown: 
    <configuration>
   <system.web>
      <webServices>
         <protocols>
            <remove name="HttpGet" />
            <remove name="HttpPost" />
            <remove name="HttpPostLocalhost" />
            <add name="Documentation" />
         </protocols>
      </webServices> 
      <httpHandlers>   
         <remove path="WebResource.axd" verb="GET"/>    
      </httpHandlers>  
      <customErrors mode="On"/>
      <trust level="Full" originUrl="" />
   </system.web>
</configuration>
  6. Save your changes
  7. Run iisreset /noforce

Verifying the workaround: For Windows SharePoint Services 2.0 installations, you can verify the workaround in two parts:

  1. Browse to http://servername/_layouts/foo.aspx.  You should receive an error message stating “An error occurred while processing your request.”
  2. Browse to http://servername/_vti_bin/webresource.axd.  You should receive an error message stating “Path ‘/_vti_bin/webresource.axd’ was not found.”


For more information:

Microsoft Security Advisory (2416728)(Updated 9/24/2010) Vulnerability in ASP.NET Could Allow Information Disclosure
Security Advisory 2416728 Released – Microsoft Security Response Center Blog
Understanding the ASP.NET Vulnerability – Microsoft Security Research & Defense Blog
Important: ASP.NET Security Vulnerability – Scott Guthrie’s Blog
Frequently Asked Questions about the ASP.NET Security Vulnerability – Scott Guthrie’s Blog

Update on ASP.NET Vulnerability  - Scott Guthrie’s Blog

Security Advisory 2416728 - Workaround Update - Microsoft Security Response Center Blog
Permanent Link to Post | Email Post Link | Number of Comments 12 Comment(s)

Comments

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

Does this also impact Team Foundation Server 2008 and or Project Server 2007?  Both of which use Windows SharePoint Services 3.0…. If so is the temporary fix the same?

 Commented by <empty> on 9/24/2010 1:29:44 PM

System Account on 9/24/2010 1:29 PM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

I tried the above workaround on a forms based authtenticated site and got the following error as soon as I tried navigating to the site: The WebResource.axd handler must be registered in the configuration to process this request.
There was no error message received in the url, instead I got the following, http://myserver/_layouts/login.aspx?ReturnUrl=%2f
The anonymous / Windows authenticated sites running on the same server responded with the expected "Path /_vti_bin/webresource.asx was not found. Is there another workaround for sites that use FBA? Also, is the above workaround in addition to the steps outlined in the security advisory?

 Commented by <empty> on 9/23/2010 12:34:58 PM

System Account on 9/23/2010 12:34 PM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

BobCinGRR -- if you're getting “Path /_vti_bin/webresource.axd was not found” in the error text parameter of the URL then you've applyed the workaround correctly.

 Commented by <empty> on 9/23/2010 10:04:58 AM

System Account on 9/23/2010 10:04 AM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

For WSS3/MOSS Please clarify the verification process.  On my WSS farm the standard WSS error page displays "An error has occurred on the server. " , but the query param contains “Path /_vti_bin/webresource.axd was not found”.

 Commented by <empty> on 9/23/2010 6:26:25 AM

System Account on 9/23/2010 6:26 AM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

What about MOSS2007? This does not take care of the 404 page.

 Commented by <empty> on 9/21/2010 12:36:57 PM

System Account on 9/21/2010 12:36 PM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

Thanks for your answer imorrish. I wonder why this fix is specifically for SharePoint 2010 then? Shouldn't this also be for MOSS?

 Commented by <empty> on 9/21/2010 4:45:20 AM

System Account on 9/21/2010 4:45 AM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

MichaelvR, it is only the location of the error file that is different because the root of the web.config is not available to a SharePoint web application. An explicitly excluded virtual directory is required and _Layouts is such a location (files in this location are on the HDD and not in the content DB).

 Commented by <empty> on 9/21/2010 2:42:57 AM

System Account on 9/21/2010 2:42 AM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

Zubair from Auckland University has created a SharePoint solution to deploy this on your SharePoint farm...
shojeeb.com/.../security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint

 Commented by <empty> on 9/21/2010 2:40:28 AM

System Account on 9/21/2010 2:40 AM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

Could you elaborate on why SharePoint 2010 has a different workaround then the one documented in the advisory?

 Commented by <empty> on 9/21/2010 1:01:52 AM

System Account on 9/21/2010 1:01 AM

re: Security Advisory 2416728 (Vulnerability in ASP.NET) and SharePoint.

What happens to MOSS? Does this way work for MOSS too?

 Commented by <empty> on 9/20/2010 7:53:42 PM

System Account on 9/20/2010 7:53 PM
1 - 10Next

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Body *


Captcha

Please verify the text shown in the image

Commented By


Migrated Source URL


Commentator Name


Commentator Email


Attachments

© 2012 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
add to favorites
send this page
print friendly

Microsoft SharePoint Team Blog