TIP: Click on subject to list as thread! ANSI
echo: nthelp
to: Geo
from: Randall Parker
date: 2005-11-19 15:07:14
subject: Re: How hard to learn Win 2003 Server?
From: Randall Parker 

Geo,

All thoroughly scary.

In order to get a Win2k box up to date on all the security patches can one just surf
to windowsupdate.microsoft.com and install what they tell you? Or do you have to go
other places to install patches for ASPX and IIS?

Geo wrote:
> "Randall Parker"
>

> wrote in message news:4377dd07$1{at}w3.nls.net...
>
>
>>I'm using ADO.Net, ASP.Net and IIS. I'm not using any other MS thingies.
>
>
> I don't think the choices get that modular, like it's either the .net
> extensions or nothing, but I may be wrong.
>
>
>>Have there been any major exploits for aspx pages?
>
>
> Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability
> 2005-11-11
> http://www.securityfocus.com/bid/14594
>
> Microsoft Windows MSRPC Eventlog Information Disclosure Vulnerability
> 2005-07-07
> http://www.securityfocus.com/bid/14178
>
> Microsoft ASP.NET URI Canonicalization Unauthorized Web Access Vulnerability
> 2005-06-14
> http://www.securityfocus.com/bid/11342
>
> Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability
> 2005-01-18
> http://www.securityfocus.com/bid/11173
>
> Multiple Vendor XML DTD Parameter Entity SOAP Server Denial Of Service
> Vulnerability
> 2003-12-11
> http://www.securityfocus.com/bid/9204
>
> Multiple Vendor XML Parser SOAP Server Denial Of Service Vulnerability
> 2003-12-09
> http://www.securityfocus.com/bid/9185
>
> Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow Vulnerability
> 2002-06-08
> http://www.securityfocus.com/bid/4958
>
>
>
>>My app is not used by the general public. Everyone will have to log on in
>
> order to
>
>>view other pages.
>
>
> Is the server available to the public? In other words are any of the pages
> available if I were to view the machine without logging in?
>
>
>>I haven't written the security part of my app yet. I'm wondering if I have
>
> to write
>
>>security code into every aspx page to check for an existing validated
>
> session or if
>
>>there's some way before each page runs to check the cookie stuff before
>
> letting the
>
>>page code execute at all. Any idea?
>
>
> How would you code in something to protect you from
>
> http://www.example.com/secureDirectory%5Csomefile.aspx
>
> type of exploiting, that was the URI exploit listed above, doing that
> allowed you to view stuff in a secure directory on the target server.
>
> Geo.
>
>

--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
SEEN-BY: 633/267 270 5030/786
@PATH: 379/45 1 106/2000 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.