Security Advisory (Vulnerability in ASP.NET) and SharePoint

Posted By  André Lage On 27 Sep 2010 09:09:17
emailbookmarkadd commentsprint
No of Views:1668
Bookmarked:0 times
Votes:0 times

Introduction

We recently released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This post explains the impact on SharePoint and documents a recommended workaround.

This vulnerability affects Microsoft SharePoint 2010 and Microsoft SharePoint Foundation 2010. The vulnerability is in ASP.NET.

We recommend that all SharePoint 2010 customers apply the workaround as soon as possible. This post will be updated with any new information.

The workaround for SharePoint 2010 is slightly different from the one documented in the advisory. For SharePoint 2010, you should follow the instructions below on every web front-end in your SharePoint farm:

  1. Browse to the SharePoint installation directory at %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\14\template\layouts.
  2. Create a new file called error2.aspx in this directory with the following content:
  3. <%@ Page Language="C#" AutoEventWireup="true" %>
    <%@ Import Namespace="System.Security.Cryptography" %>
    <%@ Import Namespace="System.Threading" %>
    
    <script runat="server">
       void Page_Load() {
          byte[] delay = new byte[1];
          RandomNumberGenerator prng = new RNGCryptoServiceProvider();
    
          prng.GetBytes(delay);
          Thread.Sleep((int)delay[0]);
         
          IDisposable disposable = prng as IDisposable;
          if (disposable != null) { disposable.Dispose(); }
        }
    </script>
    
    <html>
    <head runat="server">
        <title>Error</title>
    </head>
    <body>
        <div>
            An error occurred while processing your request.
        </div>
    </body>
    </html>

     

  4. Navigate to %SystemDrive%\inetpub\wwwroot\wss\virtualdirectories.
  5. For each subfolder in this directory, do the following:

 

  1. Edit web.config
  2. Find the customErrors node and change it to;
  3. <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/_layouts/error2.aspx" /> 
  4. Save your changes
  5. Run iisreset /noforce

That's all. keep your sharepoint application always secure.

Sign Up to vote for this article
Other popular Tips/Tricks
Comments
There is no comments for this articles.
Leave a Reply
Title:
Display Name:
Email:
(not display in page for the security purphase)
Website:
Message:
Please refresh your screen using Ctrl+F5
If you can't read this number refresh your screen
Please input the anti-spam code that you can read in the image.
^ Scroll to Top
</