People still use ASP.NET viewstate?
I thought everyone had moved onto AJAX. Viewstate was one of the ugliest technical hacks ever to exist (next to Intel's segment memory pointers).
Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering. The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on …
I've never used ASP.NET. What I understood from vaguely ignoring the issue on mailing lists, was that ViewState was supposed to be used to store "session-like" data, ie. semi-persistent user data, the values entered into a multi-page form perhaps.
Was I totally off-base or are there really people storing passwords with this thing?
brilliant logic there, Ajax, essentially for web application client side, can be hacked or used for server hacking a lot easier than the viewstate, or even as you mention Intel, who just lately have taken to giving it away rather than make you steal it.
I'm sorry if that's not very clear, I've a few beers too many inside me, and I'm not on UK time either.
"Microsoft personnel also warned about ASP.Net applications that store passwords, database connection strings or other sensitive data in the ViewState object. Because such objects are accessible to the outside, the Microsoft apps automatically encrypt its contents."
I hope they don't "encrypt" their customer's financial and other personal details this way. Yet another *huge* MS security fail. See www.trustworthycomputing.com.
"the ASP.Net application stores ... passwords or database connection strings, in the ViewState object ... The ViewState object is encrypted and sent to the client"
'What were they thinking' springs to mind.
Biting the hand that feeds IT © 1998–2021