SharePoint affected by ASP.NET vulnerability
In a SharePoint team blog posting, Microsoft has stated that SharePoint Server is affected by the padding oracle vulnerability in ASP.NET. Until now, Microsoft had not given any specific information on which ASP.NET applications were vulnerable.
According to Microsoft, Sharepoint 2010, SharePoint Foundation 2010, Microsoft Office SharePoint Server 2007, Windows SharePoint Services 3.0 and Windows SharePoint Services 2.0 are all affected. SharePoint Portal Server 2003 is not affected. Microsoft is working on a solution to the underlying problem in the .NET framework, versions 1.0 SP3 to 4.0. As a workaround until a solution is available, the company is advising users to block the display of specific server error messages. Instructions on how to do so can be found in Microsoft's security advisory. In the opinion of Thai Duong, one of the discoverers of the vulnerability, the protection offered by the workaround is inadequate.
The vulnerability is a result of incorrect implementation of cryptographic functions and can be remotely exploited to read specific ViewState values and cookies and to download files from servers without possessing the necessary authority. The Padding Oracle Exploitation Tool (Poet) is able to take advantage of vulnerabilities of this type by assessing error messages returned by the server in response to specific packets. Microsoft has released a tool able to sniff out vulnerable applications.