[Japanese]

JVNDB-2011-003557

ASP.NET vulnerable to open redirect

Overview

ASP.NET provided by Microsoft contains an open redirect vulnerability due to an issue in the login component.

ASP.NET provided by Microsoft contains an open redirect vulnerability due to an issue in the login component. Therefore a web application that implements ASP.NET may be vulnerable.

Tomoki Sanaki of NTT Communications Corporation Security Operation Center reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


Microsoft Corporation
  • Microsoft .NET Framework 2.0 SP2
  • Microsoft .NET Framework 3.5 SP1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4.0
  • Microsoft Windows 7 for 32-bit Systems SP1 and earlier
  • Microsoft Windows 7 for x64-based Systems SP1 and earlier
  • Microsoft Windows Server 2003 SP2
  • Microsoft Windows Server 2003 for Itanium-based Systems SP2
  • Microsoft Windows Server 2003 x64 Edition SP2
  • Microsoft Windows Server 2008 for 32-bit Systems SP2
  • Microsoft Windows Server 2008 for Itanium-based Systems SP2
  • Microsoft Windows Server 2008 for x64-based Systems SP2
  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 and earlier
  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1 and earlier
  • Microsoft Windows Vista SP2
  • Microsoft Windows Vista x64 Edition SP2
  • Microsoft Windows XP SP3
  • Microsoft Windows XP Professional x64 Edition SP2

Impact

The user who accesses the web application that implements ASP.NET may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
Solution

[Update the software]
This vulnerability was resolved in MS11-100.
Apply the update according to the information provided by Microsoft.
Vendor Information

Microsoft Corporation
  • Microsoft Security Bulletin : MS11-100
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-3415
References

  1. JVN : JVN#71256611
  2. National Vulnerability Database (NVD) : CVE-2011-3415
  3. @Police : Microsoft Security Bulletin for December 2011 (in Japanese)
Revision History

[2013/11/15]
  Web page was published