Eli ongelman nimi on että Trend micro house call löysi kyseisen ongelman koneeltani. F-secure ei sen sijaan löydä mitään ongelmaa. "(MS05-004) ASP.NET Path Validation Vulnerability (887219) Vulnerability Identifier: CAN-2004-0847 Discovery Date: Feb 8, 2005 Risk: Important Vulnerability Assessment Pattern File: 023 Affected Software: Microsoft .NET Framework 1.0 Microsoft .NET Framework 1.1 Description: A canonicalization vulnerability exists in ASP.NET, which could allow a malicious user to access secure and protected files. The security mechanisms of an ASP.NET Web site can be bypassed to allow the malicious user unauthorized access. Patch Information: http://www.microsoft.com/technet/security/bulletin/MS05-004.mspx Workaround Fixes: Apply the mitigation code module discussed in Microsoft Knowledge Base Article 887289. The mitigation code module provides protection on a server-basis. Make the following changes in the GLOBAL.ASAX file in the application root directory for each application on an affected system as an alternative to installing the module on a per-application basis: <script runat=server language=cs> void Application_BeginRequest(object src, EventArgs e) { if (Request.Path.IndexOf('\\') >= 0 || System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) { throw new HttpException(404, "not found"); }} </script> Install and use URLScan to help protect systems against a large number of issues stemming from improperly formed URL requests, including the publicly described issues addressed by this bulletin. Note however that URLScan does not protect your system as comprehensively as either the mitigation code module or the GLOBAL.ASAX script. More information on URLScan is available in the following page: http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp" Seurasin noita linkkejä, mutta en tullut hullua hurskaammaksi ja tuosta linkistä mistä piti saada ladattua tuo IIS Lockdown Wizard ei sitten saanut mitään. Kiitos jo etukäteen mahdollisesta avusta!
