{"id":4711,"date":"2010-09-23T07:21:29","date_gmt":"2010-09-23T07:21:29","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/bharry\/2010\/09\/23\/security-vulnerability\/"},"modified":"2018-08-13T22:44:29","modified_gmt":"2018-08-13T22:44:29","slug":"security-vulnerability","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/bharry\/security-vulnerability\/","title":{"rendered":"Security Vulnerability"},"content":{"rendered":"

On Friday, a security researcher unveiled a new attack vector against ASP.NET applications.  You can read more about it on Scott’s blog<\/a> or on the Microsoft Security Advisory<\/a>.  Because TFS is based on ASP.NET, it is affected by the vulnerability.  The ASP.NET team is working hard on a fix and assures me a patch will be available soon.  In the mean time, they have recommended a set of configuration\/application changes that can be made to eliminate the vulnerability.  Unfortunately, the provided steps don’t work on all aspects of TFS (in part due to the level of ASP.NET behvior customization we have done).<\/p>\n

To provide you an avenue to protect your TFS server, we have put together a document on changes you can make to your various ASP.NET based TFS components.  The changes are not complicated but they aren’t as simple as changing a configuration setting either.  Further, some of the changes will make your TFS installation unserviceable (future patches from us won’t appliy properly) so you will need to undo these changes as soon as the “real” patch from the ASP.NET team has been applied.  Given all of this, you will need to make your own assessment about the cost\/risk\/benefit equation of trying to take these steps.<\/p>\n

Numerous components of TFS and related services are affected by this vulnerability, including:<\/p>\n