cbcvebase.
CVE-2011-3416
published 2011-12-30

CVE-2011-3416: The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote authenticated…

PriorityP359high8.5CVSS 2.0
AVNACMAuSCCICAC
EPSS
45.58%
98.6th percentile
The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote authenticated users to obtain access to arbitrary user accounts via a crafted username, aka "ASP.Net Forms Authentication Bypass Vulnerability."

Affected

11 ranges
VendorProductVersion rangeFixed in
episerverepiserver_cms
episerverepiserver_cms
episerverepiserver_cms
episerverepiserver_cms
episerverepiserver_cms
episerverepiserver_cms
episerverepiserver_cms
episerverepiserver_cms
episerverepiserver_cms
microsoftwindows_server_2008
microsoftwindows_xp

Detection & IOCsextracted from sources · hover to see the quote

path/CreatingUserAccounts.aspx
otherCreateUserStepContainer
other%00
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:established,to_server; http.uri; content:"/CreatingUserAccounts.aspx"; fast_pattern; http.request_body; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:7; metadata:created_at 2012_01_03, cve CVE_2011_3416, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic targets HTTP POST requests to /CreatingUserAccounts.aspx with a request body containing 'CreateUserStepContainer', a 'UserName=' parameter, and a null-byte (%00) appended to the username value — matching the PCRE pattern /UserName\x3d[^\x26]+\x2500/
  • The attack is classified as Initial Access (MITRE TA0001) via Exploit Public-Facing Application (T1190), targeting ASP.NET Forms Authentication. Deploy detection at both Perimeter and Internal network boundaries.
  • ·The Snort/Suricata rule (SID 2014100) applies specifically to inbound HTTP traffic from external networks to HTTP servers; ensure $EXTERNAL_NET and $HTTP_SERVERS variables are correctly scoped in your sensor configuration.
  • ·A related but distinct EPiServer CMS vulnerability (CVE-2012-1031) also affects Forms Authentication in certain configurations — this rule is specific to CVE-2011-3416 and should not be conflated with CVE-2011-3417 or CVE-2012-1031.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.