Overview
Microsoft ASP.NET contains a canonicalization vulnerability that may allow a remote unauthenticated attacker to gain access to secure contents.
Description
Microsoft ASP.NET is a programming framework for creating web applications. The canonicalization routine used by ASP.NET fails to correctly parse URLs. |
Impact
Depending on the contents of the web site, an attacker may take a variety of actions. For example, a remote unauthenticated attacker may be able to access secure web site contents by using a specially crafted URL. |
Solution
Install an update Install an update, as specified by MS05-004. |
|
Vendor Information
283646
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx
- http://www.microsoft.com/protect/computer/updates/bulletins/200710.mspx
- http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
- http://support.microsoft.com/kb/887289
- http://support.microsoft.com/kb/887459
- http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0221.html
- http://xforce.iss.net/xforce/xfdb/17644
- http://www.securityfocus.com/bid/11342
- http://secunia.com/advisories/12749/
- http://securitytracker.com/alerts/2004/Oct/1011559.html
- http://securitytracker.com/alerts/2005/Feb/1013109.html
Acknowledgements
This vulnerability was publicly disclosed by Toby Beaumont.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2004-0847 |
| Severity Metric: | 37.97 |
| Date Public: | 2004-10-05 |
| Date First Published: | 2005-02-09 |
| Date Last Updated: | 2007-10-16 20:58 UTC |
| Document Revision: | 13 |