You may receive error messages when you browse or try to debug an ASP.NET application after you install security update 887219 (MS05-004)

Summary

After you install security update MS05-004, and then you browse or try to debug some ASP.NET applications, you may experience errors. This article describes the different errors messages that you may receive. It also provides resolutions for these problems.

Symptoms

After you install security update MS05-004, and then you browse or try to debug a Microsoft ASP.NET application where the URL contains a trailing backslash (\), you may receive one of the following error messages:
The resource cannot be found.


Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Error while trying to run project: Unable to start debugging on the web server. Could not start ASP.NET or ATL Server Debugging. Verify that the ASP.NET or ATL server is currently installed on the server.

Cause

The problem occurs if the URL that is specified in the Microsoft Internet Information Services (IIS) metabase contains a trailing backslash.

Resolution

To resolve this problem, remove the trailing backslash in the IIS metabase for the URL that is specified for the affected Web application. To do this, use one of the following methods.

Method 1: Use IIS Manager

  1. Click Start, click Run, type cmd, and then click OK.
  2. Locate the %systemroot%\system32\inetsrv directory.
  3. At the command prompt, type inetmgr to open IIS Manager.
  4. Right-click the Web site for the URL that you want to change, and then click Properties.
  5. If the affected application is a virtual directory under the Web site, click the Directory tab, and then remove the trailing backslash from the path that is specified in the Local path text box.

    If the affected application is in the root directory of the Web site, click the Home Directory tab, and then remove the trailing backslash from the path that is specified in the Local path text box.
  6. Click Apply, and then click OK.

Method 2: Use a .vbs script

  1. Use the following code sample tp create a .vbs script:
    Option Explicit

    Dim objWebService, objWebSite
    Dim objSite, objArgs, strServer
    Dim WshNetwork

    Set objArgs = WScript.Arguments

    If objArgs.Length = 1 Then
    strServer = objArgs(0)
    ElseIf objArgs.Length = 0 Then
    Set WshNetwork = CreateObject("WScript.Network")
    strServer = WshNetwork.ComputerName
    Else
    WScript.Echo "Usage: CScript ModifyVDir.vbs [servername]"
    WScript.Quit
    End If
    WScript.Echo "Connecting to " & strServer

    Set objWebService = GetObject("IIS://" & strServer & "/W3SVC")

    For Each objWebSite in objWebService
    Set objSite = GetObject(objWebSite.AdsPath)
    If objSite.Class = "IIsWebServer" Then
    WScript.Echo objSite.AdsPath
    EnumVDir objSite, 1
    End If
    Next

    WScript.Echo "Done processing."

    Sub EnumVDir(objVDir, i)
    Dim objSubVDir, objDir
    Dim strNewPath

    For Each objSubVDir in objVDir
    If objSubVDir.Class = "IIsWebVirtualDir" Then
    Set objDir = GetObject(objSubVDir.AdsPath)

    If ((Right(objDir.Path, 1) = "\") and (Right(objDir.Path, 2) <> ":\")) Then
    WScript.Echo Space(i*3) & objDir.AdsPath
    WScript.Echo Space(i*3) & "Path = " & objDir.Path

    strNewPath = Left(objDir.Path, Len(objDir.Path) - 1)
    WScript.Echo Space(i*3) & "New Path = " & strNewPath

    objDir.Put "Path", strNewPath
    objDir.SetInfo
    End If

    EnumVDir objDir, i + 1
    End If
    Next
    End Sub

  2. Run the .vbs script from the command line. To do this, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type

      cscript [file_name.vbs]
      .

      Note file_name is a placeholder for the name of your .vbs script.
    3. To close the command prompt, type exit.

More Information

After you apply this security update, ASP.NET performs stricter checks for the validity both of physical paths and of requested virtual paths.

References

For additional information about the MS05-004 security update, click the following article number to view the article in the Microsoft Knowledge Base:

887219 MS05-004: ASP.NET path validation vulnerability could allow unauthorized access

Egenskaper

Artikkel-ID: 894670 – Forrige gjennomgang: 14. jul. 2008 – Revisjon: 1

Tilbakemelding