Web Applications using Claims authentication require an update (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

Rule Name:   Web Applications using Claims authentication require an update

Event ID:   None

Summary:   Web applications that use claims-based authentication are at risk for a potential security vulnerability that might allow users to elevate privileges. Web servers that host Web applications that use claims-based authentication are potentially vulnerable.

Cause:   This can happen when you deploy a Microsoft ASP.NET 2.0-based Web application to a Web site that is hosted on a server running Microsoft SharePoint Server 2010 and you have Internet Information Services (IIS) 7.0 or IIS 7.5 running in Integrated mode on the server.

If you deploy partially trusted Web Parts or create external lists on the SharePoint site, these Web Parts or external lists can have more permissions than they should have. This issue might create a security risk on the SharePoint site. For example, these Web Parts or external lists may unexpectedly generate database requests or HTTP requests.

This issue occurs because of a change in the ASP.NET 2.0 authentication component. The change causes the partially trusted Web Parts or external lists to impersonate the application pool account. Therefore, the Web Parts have full permission to access the SharePoint site.

Resolution:   Install the update