Patches & Updates ASP.NET Security Patch



10 Dec 2004

H-Sphere versions:   All

The .NET configuration file structure was changed in ASP.NET v.1.1, which resulted in a severe local exploit. The suggested patch fixes settings in the configuration file to ensure that customer scripts are executed under the corresponding user account rather than the built-in System account.

The improved patch performs the following:

  1. Sets the following tag in C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\machine.config
    <identity impersonate="true"/>
  2. Adds allowDefinition="MachineOnly" to the tag that defines the identity configuration section:
    <section name="identity" type="System.Web.Configuration.IdentityConfigHandler, System.Web, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" allowDefinition="MachineOnly" />
  3. According to Microsoft information, it adds user groups with read/write permissions to dir
    C:\Document and settings\ServerName\ASPNET\local settings\temp

To install the update, please download and run the patch.



Copyright 1998-2008. Positive Software Corporation.
All rights reserved.