From: "Geo" 

"Randall Parker"

wrote in message news:4377dd07$1{at}w3.nls.net...

> I'm using ADO.Net, ASP.Net and IIS. I'm not using any other MS thingies.

I don't think the choices get that modular, like it's either the .net
extensions or nothing, but I may be wrong.

> Have there been any major exploits for aspx pages?

Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability 2005-11-11
http://www.securityfocus.com/bid/14594

Microsoft Windows MSRPC Eventlog Information Disclosure Vulnerability 2005-07-07
http://www.securityfocus.com/bid/14178

Microsoft ASP.NET URI Canonicalization Unauthorized Web Access
Vulnerability 2005-06-14
http://www.securityfocus.com/bid/11342

Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability 2005-01-18
http://www.securityfocus.com/bid/11173

Multiple Vendor XML DTD Parameter Entity SOAP Server Denial Of Service Vulnerability
2003-12-11
http://www.securityfocus.com/bid/9204

Multiple Vendor XML Parser SOAP Server Denial Of Service Vulnerability 2003-12-09
http://www.securityfocus.com/bid/9185

Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow Vulnerability
2002-06-08
http://www.securityfocus.com/bid/4958


> My app is not used by the general public. Everyone will have to log on in
order to
> view other pages.

Is the server available to the public? In other words are any of the pages
available if I were to view the machine without logging in?

> I haven't written the security part of my app yet. I'm wondering if I have
to write
> security code into every aspx page to check for an existing validated
session or if
> there's some way before each page runs to check the cookie stuff before
letting the
> page code execute at all. Any idea?

How would you code in something to protect you from

http://www.example.com/secureDirectory%5Csomefile.aspx

type of exploiting, that was the URI exploit listed above, doing that
allowed you to view stuff in a secure directory on the target server.

Geo.

--- BBBS/NT v4.01 Flag-5