Export (0) Print
Expand All
Expand Minimize

Web Applications using Claims authentication require an update (SharePoint Server 2010)

Published: May 12, 2010

Rule Name:   Web Applications using Claims authentication require an update

Event ID:   None

Summary:   Web applications that use claims-based authentication are at risk for a potential security vulnerability that might allow users to elevate privileges. Web servers that host Web applications that use claims-based authentication are potentially vulnerable.

Cause:   This can happen when you deploy a Microsoft ASP.NET 2.0-based Web application to a Web site that is hosted on a server running Microsoft SharePoint Server 2010 and you have Internet Information Services (IIS) 7.0 or IIS 7.5 running in Integrated mode on the server.

If you deploy partially trusted Web Parts or create external lists on the SharePoint site, these Web Parts or external lists can have more permissions than they should have. This issue might create a security risk on the SharePoint site. For example, these Web Parts or external lists may unexpectedly generate database requests or HTTP requests.

This issue occurs because of a change in the ASP.NET 2.0 authentication component. The change causes the partially trusted Web Parts or external lists to impersonate the application pool account. Therefore, the Web Parts have full permission to access the SharePoint site.

Resolution:   Install the update

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft