.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Is SharePoint susceptible to asp.net security advisory 2416728

Posted By:      Posted Date: September 20, 2010    Points: 0   Category :SharePoint
Reading through recent ASP.Net security advisory 2416728 (http://www.microsoft.com/technet/security/advisory/2416728.mspx),  it appeared to me that Sharepoint would NOT be susceptible to this security volunerability - just wanted confirmation of this.  Thanks   

View Complete Post

More Related Resource Links

ASP.NET Security Vulnerability and SharePoint 2007 (Microsoft Security Advisory (2416728))


With the recent security advisory issued by Microsoft for all ASP.NET applications it was highlighted by Scott Gu that SharePoint applications are at risk also. Scott provided a link to a script which would run on your web-server  to determine if there are ASP.NET applications installed on it and if it was vulnerable or not. I ran this script on my SharePoint server and noticed the following web.config files highlighted as being vulnerable:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\template\layouts\web.config
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\template\images\web.config
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\isapi\web.config
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\wpresources\web.config

Could I follow the instructions provide by Microsoft in the alert and modify these files? If not, how do I protect my web applications from this threat or are they at risk at all?

SharePoint Tutorial - Security

Security in SharePoint is comprised of users, groups and roles.

Users, Groups and Roles

A user account comes from the authentication system. For example, if Active Directory is used to authenticate then the user accounts will come from it.

There are two types of groups SharePoint uses: domain groups and SharePoint groups.

SharePoint Security: Trim SharePoint Search Results for Better Security


SharePoint search may return too much information, causing data security problems. Learn how to use the custom security trimmer to ensure users see only the documents they have permission to view.

Ashley Elenjickal, Pooja Harjani

MSDN Magazine July 2010

Office Space: Security Programming in SharePoint 2007


This month Ted Pattison presents an overview of programming security and permissions for Windows SharePoint Services 3.0.

Ted Pattison

MSDN Magazine February 2008

SharePoint 2010: Security Resource Center (Developers)

Are you new to SharePoint security, or do you want to learn the latest about claims-based identity? Find information about areas of security, including authentication, role providers, and claims.

Administrator and Developer Guide to Code Access Security in SharePoint Server 2007

Explore configuration options, get best practices for managing CAS in SharePoint environments, and walk through a complex CAS scenario.

Video: Security and Deployment: Office Applications in SharePoint

Many times deployments are much more than a single Office Add-in. When additional items like Lists, Content Types, Workflows, etc. need to be deployed as well, you need a package that can be deployed by an administrator. This video discusses deploying complete applications to SharePoint. (Length: 9:30)

Video: Introduction to Claims-based Security in SharePoint 2010

Learn how claims-based identity provides a common way for applications to acquire identity information from users inside their organization, in other organizations, and on the Internet. (Length: 23:46)

Using the Acceleration Toolkit for Microsoft Forefront Security for SharePoint

Learn how to supply full-fidelity FSSP enablement to a SharePoint environment, regardless of deployment phase with this acceleration toolkit.

Passing values from web page to custom security trimmer in SharePoint 2010

Hi, In SharePoint 2007 we had a custom security trimmer that implemented ISecurityTrimmer interface. We also had a custom webpart used for search. Now, using HttpContext we passed values from the webpart to security trimmer with additional info needed to trim the results. It worked since trimmer was executed in the same w3wp process as webpart. Now in SharePoint 2010, the architecture for ISecurityTrimmer2 has changed, as it's executed in search process (other w3wp) - not the webpart w3wp so it has no access to the HttpContext. Question is: how to pass custom data, in form of the string, to a security trimmer when search is done from custom code in webart?

Copy sharepoint 2007 folder (with sub folders) with all the security permissions

I am looking to copy a common sharepoint folder(sub folders) in 2007 with all the security permissions intact, to a different location in the same site, Does anyone know how to do this?

really dont understand security on Sharepoint

Security issue using Sharepoint designer. I think this is more administration than Sharepoint designer. Have created a site where designers will update pages,CSS,Master pages. I have put these users in the Designers sharepoint group. I have branded the site initially and now passed this to the designers. The issue I have is the designers cant checkout and ammend master pages or css's even though the description of the group says this.They come up 'ACCESS DENIED' 'Members of this group can edit lists, document libraries, and pages in the site. Designers can create Master Pages and Page Layouts in the Master Page Gallery and can change the behavior and appearance of each site in the site collection by using master pages and CSS files. ' I have also tried to put the users on the site owners group but have 'ACCESS DENIED' and no luck. However if I make them a secondary administrators from site setting it works fine. I need to know the correct planning of roles in Sharepoint and what groups . The designers will ammend pages,page layouts,ammend master pages. Thanks

Copy sharepoint 2007 folder (with sub folders) with all the security permissions

I am looking to copy a common sharepoint folder(sub folders) in 2007 with all the security permissions intact, to a different location in the same site, Does anyone know how to do this?

Is there a way to obtain where in a sharepoint site a certain security group is used?

There is a sharepoint group that has been set up and is used throughout a single sharepoint occurance with many team sites and lists. It has orginated from AD and sent over to sharepoint with collection. The want to rename the group name. I have used it throughout the site. Is there a way to identify what sites and lists have been secured with this site so I do not have to go manually through site by site? Thanks, Angela

Create SharePoint Security Group populated by AD query

Is there any non-code way to create a SharePoint Security Group that is populated by an AD query? The "standard" way of getting the same "effect" is to create a group that contains an AD group but that does not allow members of a particular site to see who else is also a member of the site Any thoughts?

SharePoint List Security

I have a list which I only want administrators with full access. The rest of the people I have done the following: - Denied access the the list so that they don't see other people's  entries -Created a web part which users use to add data to the list (not all columns) and a grid to show their existing entries. However, normal people get access denied error on the web part. Any suggestions? 

Microsoft.SharePoint.WebControls.Welcome Not security trimmed

https://my.sharepoint.com/_layouts/userdisp.aspx, displays access denied when User permission set to not display /_layout/... Application Pages, this redirect should have never been allowed. How can one report Microsoft.SharePoint.WebControls.Welcome control to the Connect web site?
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend