Check Point Advisories

Microsoft ASP.NET Chart Control Information Disclosure (MS11-066; CVE-2011-1977)

Vulnerability
Protection

Check Point Reference:	CPAI-2011-362
Date Published:	9 Aug 2011
Severity:	High
Last Updated:	Tuesday 09 August, 2011
Source:
Industry Reference:	CVE-2011-1977
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	An information disclosure vulnerability has been reported in Microsoft Chart Controls. Chart Controls is a chart creation tool which enables users to create charts within ASP.NET pages. A remote attacker could exploit this vulnerability to retrieve any file from an affected ASP.NET page. This is an information disclosure vulnerability. The vulnerability is due to an error in the way Chart Controls verifies functions within specially crafted URIs. A remote attacker can trigger this flaw by sending a specially crafted GET request to a server hosting the affected application. Successful exploitation may allow an attacker to retrieve any file from the affected application's directory or sub directories. Some of these files may include sensitive user information, which may be exploited by an attacker.

Protection Overview

This protection will detect and block attempts to transfer malformed Chart Controls URI requests over HTTP.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft ASP.NET Chart Control Information Disclosure (MS11-066) protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Web Server Enforcement Violation.
Attack Information: Microsoft ASP.NET Chart Control information disclosure (MS11-066)