CVE-2010-3332

Description

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

Related CPE's

References

http://twitter.com/thaidn/statuses/24832350146

41409

1024459

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html

http://www.ekoparty.org/juliano-rizzo-2010.php

43316

http://isc.sans.edu/diary.html?storyid=9568

http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

ADV-2010-2429

http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security

http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/

http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx

http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310

http://www.microsoft.com/technet/security/advisory/2416728.mspx

ADV-2010-2751

http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle

ms-aspdotnet-padding-info-disclosure(61898)

oval:org.mitre.oval:def:12365

MS10-070

CvssV3 impact

CvssV2 impact