[Japanese]

JVNDB-2011-003557

ASP.NET vulnerable to open redirect

Overview

ASP.NET provided by Microsoft contains an open redirect vulnerability due to an issue in the login component.

ASP.NET provided by Microsoft contains an open redirect vulnerability due to an issue in the login component. Therefore a web application that implements ASP.NET may be vulnerable.

Tomoki Sanaki of NTT Communications Corporation Security Operation Center reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Microsoft Corporation
  • Microsoft .NET Framework 2.0 SP2
  • Microsoft .NET Framework 3.5 SP1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4.0
  • Microsoft Windows 7 (x32) SP1 and earlier
  • Microsoft Windows 7 (x64) SP1 and earlier
  • Microsoft Windows Server 2003 SP2
  • Microsoft Windows Server 2003 (itanium) SP2
  • Microsoft Windows Server 2003 (x64) SP2
  • Microsoft Windows Server 2008 (x86) SP2
  • Microsoft Windows Server 2008 (itanium) SP2
  • Microsoft Windows Server 2008 (x64) SP2
  • Microsoft Windows Server 2008 r2(itanium) SP1 and earlier
  • Microsoft Windows Server 2008 r2(x64) SP1 and earlier
  • Microsoft Windows Vista SP2
  • Microsoft Windows Vista (x64) SP2
  • Microsoft Windows XP sp3 SP3
  • Microsoft Windows XP (x64) SP2

Impact

The user who accesses the web application that implements ASP.NET may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
Solution

[Update the software]
This vulnerability was resolved in MS11-100.
Apply the update according to the information provided by Microsoft.
Vendor Information

Microsoft Corporation
  • Microsoft Security Bulletin : MS11-100
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-3415
References

  1. JVN : JVN#71256611
  2. National Vulnerability Database (NVD) : CVE-2011-3415
  3. @Police : Microsoft Security Bulletin for December 2011 (in Japanese)
Revision History

  • [2013/11/15]
      Web page was published