From: Adam 

Randall Parker wrote:

> Geo,
>
> All thoroughly scary.
>
> In order to get a Win2k box up to date on all the security patches can
> one just surf to windowsupdate.microsoft.com and install what they tell
> you? Or do you have to go other places to install patches for ASPX and IIS?
>

First use another (secure) computer to download a firewall etc.

Or make sure the machine is on a network behind a reasonably secure firewall etc.

I'm not kidding.

Then once you have a reasonably secure connection, then connect to windows update.

Adam

> Geo wrote:
>
>> "Randall Parker"
>>

>>
>> wrote in message news:4377dd07$1{at}w3.nls.net...
>>
>>
>>> I'm using ADO.Net, ASP.Net and IIS. I'm not using any other MS thingies.
>>
>>
>>
>> I don't think the choices get that modular, like it's either the .net
>> extensions or nothing, but I may be wrong.
>>
>>
>>> Have there been any major exploits for aspx pages?
>>
>>
>>
>> Microsoft Visual Studio .NET msdds.dll Remote Code Execution
>> Vulnerability
>> 2005-11-11
>> http://www.securityfocus.com/bid/14594
>>
>> Microsoft Windows MSRPC Eventlog Information Disclosure Vulnerability
>> 2005-07-07
>> http://www.securityfocus.com/bid/14178
>>
>> Microsoft ASP.NET URI Canonicalization Unauthorized Web Access
>> Vulnerability
>> 2005-06-14
>> http://www.securityfocus.com/bid/11342
>>
>> Microsoft GDI+ Library JPEG Segment Length Integer Underflow
>> Vulnerability
>> 2005-01-18
>> http://www.securityfocus.com/bid/11173
>>
>> Multiple Vendor XML DTD Parameter Entity SOAP Server Denial Of Service
>> Vulnerability
>> 2003-12-11
>> http://www.securityfocus.com/bid/9204
>>
>> Multiple Vendor XML Parser SOAP Server Denial Of Service Vulnerability
>> 2003-12-09
>> http://www.securityfocus.com/bid/9185
>>
>> Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow
>> Vulnerability
>> 2002-06-08
>> http://www.securityfocus.com/bid/4958
>>
>>
>>
>>> My app is not used by the general public. Everyone will have to log
>>> on in
>>
>>
>> order to
>>
>>> view other pages.
>>
>>
>>
>> Is the server available to the public? In other words are any of the
>> pages
>> available if I were to view the machine without logging in?
>>
>>
>>> I haven't written the security part of my app yet. I'm wondering if I
>>> have
>>
>>
>> to write
>>
>>> security code into every aspx page to check for an existing validated
>>
>>
>> session or if
>>
>>> there's some way before each page runs to check the cookie stuff before
>>
>>
>> letting the
>>
>>> page code execute at all. Any idea?
>>
>>
>>
>> How would you code in something to protect you from
>>
>> http://www.example.com/secureDirectory%5Csomefile.aspx
>>
>> type of exploiting, that was the URI exploit listed above, doing that
>> allowed you to view stuff in a secure directory on the target server.
>>
>> Geo.
>>
>>

--- BBBS/NT v4.01 Flag-5