Wednesday, 28 December 2011
Denial-of-service vulnerability affecting many web app servers including ASP.Net
On Wednesday Microsoft issued a security advisory regarding a newly disclosed exploit that allows attackers to run up CPU usage to near 100% on almost all of the popular web server/frameworks including ASP.Net.
Repeated issuing of "specially crafted" http posts can degrade performance relating to the processing required for hash table inserts. The advisory suggests to configure the max request size, with a security patch likely to follow.
"It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition. Microsoft is aware of detailed information available publicly that could be used to exploit this vulnerability but is not aware of any active attacks."