Microsoft ASP.NET Security Vulnerability
An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data). Attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).
Microsoft advisory:
http://www.microsoft.com/technet/security/advisory/2416728.mspx
Workaround details for asp.net applications:
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
DotNetNuke advisory:
http://info.dotnetnuke.com/index.php/email/emailWebview?mkt_tok=3RkMMJWWfF9wsRonuq%2FLZKXonjHpfsX57OgtW6Og38431UFwdcjKPmjr1YQJTdQhcOuuEwcWGog8xANMFOWBcpVL%2Fw%3D%3D
DotNetNuke specific instructions to apply workaround:
http://info.dotnetnuke.com/rs/dotnetnuke/images/DotNetNuke_Security_Update_Regarding_ASPNET_Vulnerability_091810.pdf
We are monitoring the Microsoft advisory for updates and will be scheduling a round of updates for all servers as soon as it has been made available to the public. In the meantime the above listed workarounds will protect your applications from this vulnerability.
If you have any questions, please submit a support ticket.
Thank you
Tuesday, September 21, 2010