This just in, and, seeing that it doesn’t say I’m not allowed to, I figured I post it here for general information:
Microsoft encourages customers to review this Security Bulletin.
Issue:
ASP.NET is a collection of technologies that help developers to build web-based applications. Web-based applications, including those built using ASP.NET, rely on HTTP to provide connectivity. One characteristic of HTTP as a protocol is that it is stateless, meaning that each page request from a user to a site is reckoned an independent request. To compensate for this, ASP.NET provides for session state management through a variety of modes.
One of these modes is StateServer mode. This mode stores session state information in a separate, running process. That process can run on the same machine or a different machine from the ASP.NET application. There is an unchecked buffer in one of the routines that handles the processing of cookies in StateServer
mode. A security vulnerability results because it is possible for an attacker to seek to exploit it by mounting a buffer overrun attack. A successful attack could cause the ASP.NET application to restart. As a result, all current users of the web-based application would see their current session restart and their current session information would be lost.
The StateServer mode is not the default mode for session state management in ASP.NET. ASP.NET applications using StateServer mode that do not use cookies are not vulnerable.
Mitigating Factors:
- StateServer mode is not the default mode for session state management in ASP.NET. That ASP.NET application would have to be specifically configured to use this mode.
- Even if an application was configured to use StateServer mode, it would only be at risk if it also used cookies.
[/list]Risk Rating:- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: None
[/list]Patch Availability- A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/…in/ms02-026.asp%5B/url%5D for information on obtaining this patch.
[/list]THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
- A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/…in/ms02-026.asp%5B/url%5D for information on obtaining this patch.
