In the article he boils down a presentation by Cesar Cerrudo presented at Microsoft's BlueHat Security Briefings. Here's a core excerpt:
One of the front lines of of defense is to reduce the trustLevel of .NET applications:Cerrudo showed how to completely take over — or "0wn" — a system running Microsoft's Internet Information Services (IIS) and Windows Server 2003.
The attack involves hijacking a security token and using it to gain elevated privileges. That sounds rather complicated, and it is — unless you have some helper code. Microsoft hasn't yet fixed the problem, but neither had any working exploits been released.
That all changed last week. Complete working exploit code is now available on the Internet, as documented by the No More Root blog and others. People can use this code to upload to an IIS server a file that allows them to take over the system.
See: http://msdn.microsoft.com/en-us/library/ms998341.aspxFortunately, there are ways to reduce the risk. Regardless of whether you use IIS 6 or IIS 7, don't allow ASP.NET applications to run with full trust. Instead, configure the machine-level Web.config file so it forces applications to run with medium trust
Other ASP.NET shopping carts crashed when we tried this . . . . But AbleCommerce 7 sites ran perfectly.
Now, if we can just get all of our other ASP.NET shopping cart clients on to AbleCommerce 7, there will be a happy ending for everyone on this issue. Meanwhile, other ASP.NET shopping cart applications have become a potentially significant liability for us.
