Clarity on Microsoft Security Advisory 2416728 and WSS 3.0 / MOSS 2007
UPDATE 8:39P 9/21/2010 – Looks like the SharePoint Team blog post has been updated with new information. While you could do the steps below for WSS 3.0/MOSS 2007, they are not needed. Only SharePoint 2010 and WSS 2.0 are affected.
There have been some questions on whether or not WSS 3.0 and MOSS 2007 are affected by the Microsoft Security Advisory 2416728. Since the reported vulnerability deals with .Net Framework, specifically ASP.NET and error pages WSS 3.0 and MOSS 2007 may be affected (see above for update).
The SharePoint Team blog has some workaround steps for SharePoint 2010 that help to mitigate the attack. So what are the steps for WSS/MOSS? If you read the advisory, it becomes clear that there are 2 things that are needed for the workaround.
- You need to create a custom error page, this can be named anything, but error2.aspx is easy enough. You need to copy the code provided in the advisory into this page and you need to copy this file to the web application. For SharePoint you will want to copy the file to the _layouts directory and not inside of a SharePoint site.
- You need to update the web.config to point to the new error page. This step will change per the version of .Net installed on the computer hosting the web application.
So what are the steps? Well, they are almost identical to the SharePoint 2010, with 2 minor differences.
- Browse to the SharePoint installation directory at %CommonProgramFiles%Microsoft SharedWeb Server Extensions12templatelayouts.
- Create a new file called error2.aspx in this directory with the following content:
<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script> <html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html>
- Navigate to %SystemDrive%inetpubwwwrootwssvirtualdirectories.
- For each subfolder in this directory, do the following:
- Edit web.config
- Find the customErrors node and if the .Net Framework 3.5 SP1 is installed, change it to;
<customErrors mode=”On” redirectMode=”ResponseRewrite”
defaultRedirect=”/_layouts/error2.aspx” />
If .Net Framework 3.5 or less is installed change the line to;
<customErrors mode=”On” defaultRedirect=”/_layouts/error2.aspx” />
- Save your changes
- Run iisreset /noforce
The reason that the web.config customErrors line is different for computers with .Net 3.5 or below is that the redirectMode property was not available before .Net 3.5 SP1.