Geological Society of United Kingdom __VIEWSTATE Not Encrypted Vulnerability

2017.01.03
ir 4TT4CK3R (IR) ir
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

:~# Exploit Title : Geological Society of United Kingdom __VIEWSTATE Not Encrypted Vulnerability :!# Exploit Author : 4TT4CK3R :~# Submit Date : 2017/01/03 :~# HomePage : https://www.geolsoc.org.uk/ :~# About Server : -- Web Server = IIS-7.5 -- Server Type = Windows Server -- Language = Microsoft ASP.NET 4.0.30319 :~# About Vulnerability : The __VIEWSTATE parameter is not encrypted. To reduce the chance of someone intercepting the information stored in the ViewState, it is good design to encrypt the ViewState. To do this, set the machineKey validation type to AES. This instructs ASP.NET to encrypt the ViewState value using the Advanced Encryption Standard. :~# Patch and Fix this Vulnerability : For patching this vulnerability on Server, you must first open web.config file and add this line under the <system.web> element : <machineKey validation="AES"/> :~# Exploited by 4TT4CK3R


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top