From: Mike '/m' 


If you put a freshly-installed W2K on the web, make sure you are behind a
firewall until you get it patched up.

 /m


On Sat, 19 Nov 2005 15:07:15 -0800, Randall Parker

wrote:

>Geo,
>
>All thoroughly scary.
>
>In order to get a Win2k box up to date on all the security patches can one
just surf
>to windowsupdate.microsoft.com and install what they tell you? Or do you have
to go
>other places to install patches for ASPX and IIS?
>
>Geo wrote:
>> "Randall Parker"
>>

>> wrote in message news:4377dd07$1{at}w3.nls.net...
>>
>>
>>>I'm using ADO.Net, ASP.Net and IIS. I'm not using any other MS thingies.
>>
>>
>> I don't think the choices get that modular, like it's either the .net
>> extensions or nothing, but I may be wrong.
>>
>>
>>>Have there been any major exploits for aspx pages?
>>
>>
>> Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability
>> 2005-11-11
>> http://www.securityfocus.com/bid/14594
>>
>> Microsoft Windows MSRPC Eventlog Information Disclosure Vulnerability
>> 2005-07-07
>> http://www.securityfocus.com/bid/14178
>>
>> Microsoft ASP.NET URI Canonicalization Unauthorized Web Access Vulnerability
>> 2005-06-14
>> http://www.securityfocus.com/bid/11342
>>
>> Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability
>> 2005-01-18
>> http://www.securityfocus.com/bid/11173
>>
>> Multiple Vendor XML DTD Parameter Entity SOAP Server Denial Of Service
>> Vulnerability
>> 2003-12-11
>> http://www.securityfocus.com/bid/9204
>>
>> Multiple Vendor XML Parser SOAP Server Denial Of Service Vulnerability
>> 2003-12-09
>> http://www.securityfocus.com/bid/9185
>>
>> Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow Vulnerability
>> 2002-06-08
>> http://www.securityfocus.com/bid/4958
>>
>>
>>
>>>My app is not used by the general public. Everyone will have to log on in
>>
>> order to
>>
>>>view other pages.
>>
>>
>> Is the server available to the public? In other words are any of the pages
>> available if I were to view the machine without logging in?
>>
>>
>>>I haven't written the security part of my app yet. I'm
wondering if I have
>>
>> to write
>>
>>>security code into every aspx page to check for an existing validated
>>
>> session or if
>>
>>>there's some way before each page runs to check the cookie stuff before
>>
>> letting the
>>
>>>page code execute at all. Any idea?
>>
>>
>> How would you code in something to protect you from
>>
>> http://www.example.com/secureDirectory%5Csomefile.aspx
>>
>> type of exploiting, that was the URI exploit listed above, doing that
>> allowed you to view stuff in a secure directory on the target server.
>>
>> Geo.
>>
>>

--- BBBS/NT v4.01 Flag-5