lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 3 May 2005 12:58:33 -0400
From: "Tim Farley" <tfarley@...dynamics.com>
To: <bugtraq@...urityfocus.com>
Cc: <lcamtuf@...il.com>
Subject: RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks


Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property "ViewStateUserKey" to the System.Web.UI.Page class in .NET Framework 1.1.  The documentation for this property is here:

http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuipageclassviewstateuserkeytopic.asp

Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed into this property.  As we all know, this is exactly the sort of detail that developers often forget or flub, with disastrous results.

--Tim Farley
  SPI Dynamics

Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.


Powered by blists - more mailing lists