This threat brief discusses a security issue noted by NCC Group in September 2012 relating to the use of ASP.NET forms authentication in a shared / cloud hosting environment. If virtual hosting is used to make multiple applications on the same IIS server available at different domain names, then a forms authentication cookie issued by one application may also be valid for other applications, depending on the application pool configuration in use. This could potentially allow an attacker to successfully authenticate to an application for which they do not have valid credentials – in other words, a bypass of forms authentication. Other security mechanisms which derive their security from ASP.NET’s machine key may also be affected.
Microsoft have previously issued guidance which explains how to provide adequate separation between ASP.NET applications in a shared hosting environment, but this is a relatively obscure Knowledge Base article, and does not mention the effect that inadequate separation has on forms authentication. However, the remediation proposed in that article is sufficient to mitigate the issue described in this threat brief.
All ASP.NET shared hosting providers should ensure that the guidance in KB article 2698981 is followed, particularly if forms authentication is being used to protect applications.
We begin by providing an example which highlights this issue in more detail. We then provide some background information on ASP.NET forms authentication and the machine key, in order to explain how the vulnerability arises. Finally, we provide more information on mitigating the issue.
Read the full threat brief here
Published date: 25 April 2013
Written by: Richard Turnbull