We’ve recently had a spate of attacks on our live websites from zombie PCs trying to inject email headers into the page’s viewstate. At our end, the resultant error comes back as a System.Web.HttpUnhandledException : Invalid Viewstate along with a dump of Viewstate that looks remarkably like a Multi-part MIME email message but contains invalid Base64 characters.
ViewState: email@example.com Content-Type: multipart/mixed; boundary="===============0113959725==" MIME-Version: 1.0 Subject: 1d2fb280 To: firstname.lastname@example.org bcc: email@example.com From: firstname.lastname@example.org
This is a multi-part message in MIME format.
Content-Type: text/plain; charset="us-ascii"
According to this article, this attack is more subtle than you think, but easy to thwart. If you’re using .NET, it seems to be caught by default, but if you’re a PHP\CGI user, you need to make sure to strip the line returns and new line characters from the form fields in your scripts. The thing that bothers me is that these attacks keep occurring from time to time implying that new people keep getting infected with it. But the same handful of email addresses are always in the BCC field. Couldn’t Microsoft or someone in the .NET world have issued some sort of advisory about this new kind of injection attack back in July when it seemed to begin? If they did, can someone point it out?