November 27th 2008
Security Advisory: Please review security settings in MWPSK 1.2.1 or earlier
We discovered that missing authorization settings in web.config enable not authenticated users to upload content to the app_data folder.
We rate the severity of the error with HIGH and we are applying the Emergency operation procedure (Security Operation Procedures
) in order to solve the problem and we invite everyone else to also act according to these recommendations. We have created them to cope with such an incident.
Please check the authorization tag in your web.config. It should contain the following lines:
When will a solution for the problem be available?
The problem is solved in the latest version (1.2.2) of the starter kit
What does this really mean for my installations?
Someone who knows about how to do it could potentially gain access to any data file stored as part of any MWPSK based website and upload his own files or overwrite them.
What can I do as a first measure to defend my website against such a hacker attack?
You should backup your site now by downloading the whole content of the \app_data folder to your local machine.
Then add the missing settings to the web.config file or copy the latest version (1.2.2) of the starter kit
What if I’m using an older version of MWPSK (like 1.1)?
Every version older than 1.2.2 needs to be checked for its security settings.