SharePoint 2013 -This product requires Microsoft .Net Framework 4.5

I got this error “This product requires Microsoft .Net Framework 4.5” during installing SharePoint 2013 on Windows Server 2012 R2 and I tried to follow the same steps suggested her https://support.microsoft.com/en-us/kb/3087184 but it did not succeed.

The right fix for my case was to remove this KB3102467 and then restart the windows.

For the same case , check this link

https://sysadminnotesblog.wordpress.com/2016/03/03/sharepoint-2013-net-framework-not-installed-error/

Advertisements

HTML Form found in redirect page security risk

To understand the title, let us see this example.

Assume that we have two pages as following:

  1. Admin Page (Only can accessible by login users)
  2. No Access Page (Redirect page to show the anonymous user that you don’t have access to admin page)

Admin page has the following critical information

Untitled

No Access page show the following message to anonymous user

Untitled

Now to prevent the anonymous user to access the admin page, I used the below code in the page load event to redirect the user to No access page using Response.RedirectLocation

Untitled

If you try to access the admin.aspx page using the browsers, then you will get this result

Untitled

But if you try to use tool like HTML Editor which belong to Acunetix then you will get the following result

Untitled

But why?

The reason for this vulnerability that Response.RedirectLocation doesn’t terminate the response because the above client tool is not based on Web behavior so no direction happened and we able to see the content of admin page.

To fix this issue, simply add Response.End() or instead of this , you can use Respose.Redirect which internally call Response.End() to stop processing the result

Untitled

For more details

http://www.acunetix.com/blog/articles/html-form-found-in-redirect-page/

DROWN attack

Based on Wikipedia,

“The DROWN attack is a cross-protocol security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with TLS yet still support SSL v2, provided they share the same public key credentials between the two protocols.”

Note:

You can find more about the right implementation for SSL/TLS in Maximizing SharePoint Security whitepaper https://gallery.technet.microsoft.com/Maximizing-SharePoint-cf7f7efc

To check if your website has this vulnerability, you can use the following tools:

  1. SSL LABS https://www.ssllabs.com/ssltest/
    01
  2. The DROWN Attack Test https://test.drownattack.com/
    01

To Fix this issue , simply disable SSL v2 in your servers (also it’s recommended to disable SSL v3) as following :

Go to this registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0

If there is no “Server” key then create “Server” key

Then create a DWORD value named “DisabledByDefault” and change the value data to “1

Restart the server

01

Note:

Some articles, use “Enabled” key instead of “DisabledByDefault” but if you go with this way then the above tools will not consider your server secure against Crown attack so better to go with “DisabledByDefault “.

For more details about Crown attack, check the following post:

https://blog.qualys.com/securitylabs/2016/03/04/ssl-labs-drown-test-implementation-details

Moving My blog from blogs.msdn.com/b/fabdulwahab/ to fabdulwahab.com

I moved my blog from http://blogs.msdn.com/b/fabdulwahab/ to http://fabdulwahab.com so no more entries or update will be done in the old blog.

My Posts in Previous blog:

Regards,,