FIM Password Reg/Reset Portals over Internet marked as PCI Compliance Failure RRS feed

  • Question

  • Hi,

    How have you handled the issue reported by a security audit of FIM2010 R2 Portals for registering and resetting passwords on the 'net. The date on the article is 2008, and the .net assemblies are 1.0 thru 2.0, but the audit is still catching preventing a rollout.


    Brief Description: Details here:

    Microsoft ASP.NET could allow a remote attacker to bypass ValidateRequest filters and conduct cross-site scripting attacks, caused by a vulnerability that was introduced by the MS07-040 update. A remote attacker could exploit this vulnerability using a query string containing a less-than tilde slash sequence (<~/) appended with a malicious STYLE element, which would allow the attacker to bypass Request Validation and conduct cross-site scripting attacks against a vulnerable ASP.NET application.



    Wednesday, February 5, 2014 5:44 PM

All replies

  • Is FIM2010 R2 using ASP.NET 4 or later?

    "ASP.NET version 4 is not vulnerable, as it does not use the vulnerable ‘ValidateRequest’ Filter."





    What versions of Microsoft ASP.NET are not vulnerable?

    ASP.NET version 4 is not vulnerable, as it does not use the vulnerable ‘ValidateRequest’ Filter.

    Applications that have been securely coded, and have custom filtering in place above and beyond the ValidateRequest Filter, may not be vulnerable.

    Wednesday, February 5, 2014 8:57 PM
  • Hi. I hope you could give us some advice related with FIM 2010 R2

    We are using FIM joined to our software. As a secutiry requirement we have to migrate all the AppPools from 2.0 to 4.0 at least, BUT, FIM uses IIS AppPools running in ASP.Net 2.0. It seems to be Microsoft don´t have a FIM version that works in ASP.Net 4.0, so Do you know if there is any kind of tip we could apply or something like that to keep using FIM with framework 2.0 with out any risk?

    Is FIM vulnerable to cross site scripting attack? Do you know if there is any FIM documentation where it's stated that FIM has this type of attack validations?

    Thanks a lot.

    Thursday, May 21, 2015 9:52 PM