{"id":181540,"date":"2016-09-16T00:12:00","date_gmt":"2016-09-15T22:12:00","guid":{"rendered":"http:\/\/www.borncity.com\/blog\/?p=181540"},"modified":"2018-09-01T12:27:05","modified_gmt":"2018-09-01T10:27:05","slug":"sicherheitslcke-in-asp-net","status":"publish","type":"post","link":"https:\/\/borncity.com\/blog\/2016\/09\/16\/sicherheitslcke-in-asp-net\/","title":{"rendered":"Sicherheitsl&uuml;cke in ASP.NET"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\"\/>Microsoft hat bereits am Dienstag, den 13. September 2016 ein Security Advisory zu ASP.NET herausgegeben, in der vor einer Sicherheitsl\u00fccke gewarnt wird. <\/p>\n<p><!--more--><\/p>\n<p>Die Sicherheitsl\u00fccke betrifft die ASP.NET Core View Components, die eine Rechteerweiterung erm\u00f6glichen kann. Die Sicherheitsanf\u00e4lligkeit findet sich in der \u00f6ffentlichen Version von ASP.NET Core MVC 1.0.0. Die Klasse View Components kann falsche Informationen, darunter auch Details zum aktuellen authentifizierten Benutzer, enthalten. Ist eine View Component von dem anf\u00e4lligen Code abh\u00e4ngig, k\u00f6nnte das zu Problemen und zu einer Erh\u00f6hung von Berechtigungen f\u00fchren. Es sind folgende Paketversionen betroffen:<\/p>\n<table>\n<tbody>\n<tr>\n<td colspan=\"2\">\n<p><strong>Betroffene Pakete und Versionen<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><strong>Paketname<\/strong><\/p>\n<\/td>\n<td colspan=\"2\">\n<p><strong>Paketversion<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.Abstractions<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.ApiExplorer<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.Core<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.Cors<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.DataAnnotations<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.Formatters.Json<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.Formatters.Xml<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.Localization<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.Razor<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.Razor.Host<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.TagHelpers<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.ViewFeatures<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p>Microsoft.AspNetCore.Mvc.WebApiCompatShim<\/p>\n<\/td>\n<td colspan=\"2\">\n<p>1.0.0<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Weitere Details finden sich in der <a href=\"https:\/\/technet.microsoft.com\/library\/security\/3181759\" target=\"_blank\">Microsoft-Sicherheitsempfehlung 3181759<\/a> sowie bei <a href=\"http:\/\/www.heise.de\/newsticker\/meldung\/Microsoft-warnt-vor-Rechteausweitung-durch-ASP-NET-Schwachstellen-3321312.html\" target=\"_blank\">heise.de<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft hat bereits am Dienstag, den 13. September 2016 ein Security Advisory zu ASP.NET herausgegeben, in der vor einer Sicherheitsl\u00fccke gewarnt wird.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[426],"tags":[1797,4328],"class_list":["post-181540","post","type-post","status-publish","format-standard","hentry","category-sicherheit","tag-asp-net","tag-sicherheit"],"_links":{"self":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts\/181540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/comments?post=181540"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts\/181540\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/media?parent=181540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/categories?post=181540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/tags?post=181540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}