CVE-2011-3416
published 2011-12-30CVE-2011-3416: The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote authenticated…
PriorityP359high8.5CVSS 2.0
AVNACMAuSCCICAC
EPSS
45.58%
98.6th percentile
The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote authenticated users to obtain access to arbitrary user accounts via a crafted username, aka "ASP.Net Forms Authentication Bypass Vulnerability."
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| episerver | episerver_cms | — | — |
| episerver | episerver_cms | — | — |
| episerver | episerver_cms | — | — |
| episerver | episerver_cms | — | — |
| episerver | episerver_cms | — | — |
| episerver | episerver_cms | — | — |
| episerver | episerver_cms | — | — |
| episerver | episerver_cms | — | — |
| episerver | episerver_cms | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_xp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/CreatingUserAccounts.aspx
otherCreateUserStepContainer
other%00
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:established,to_server; http.uri; content:"/CreatingUserAccounts.aspx"; fast_pattern; http.request_body; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:7; metadata:created_at 2012_01_03, cve CVE_2011_3416, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic targets HTTP POST requests to /CreatingUserAccounts.aspx with a request body containing 'CreateUserStepContainer', a 'UserName=' parameter, and a null-byte (%00) appended to the username value — matching the PCRE pattern /UserName\x3d[^\x26]+\x2500/
- →The attack is classified as Initial Access (MITRE TA0001) via Exploit Public-Facing Application (T1190), targeting ASP.NET Forms Authentication. Deploy detection at both Perimeter and Internal network boundaries.
- ·The Snort/Suricata rule (SID 2014100) applies specifically to inbound HTTP traffic from external networks to HTTP servers; ensure $EXTERNAL_NET and $HTTP_SERVERS variables are correctly scoped in your sensor configuration.
- ·A related but distinct EPiServer CMS vulnerability (CVE-2012-1031) also affects Forms Authentication in certain configurations — this rule is specific to CVE-2011-3416 and should not be conflated with CVE-2011-3417 or CVE-2012-1031.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r38m-g3v3-7w4j: Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in certain configurations using Forms Authentication, allows remote authenticated user
ghsa_unreviewed·2022-05-17·CVSS 8.5
CVE-2012-1031 [HIGH] GHSA-r38m-g3v3-7w4j: Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in certain configurations using Forms Authentication, allows remote authenticated user
Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in certain configurations using Forms Authentication, allows remote authenticated users to obtain WebAdmins access by leveraging Edit Mode privileges, a different vulnerability than CVE-2011-3416 and CVE-2011-3417.
GHSA
GHSA-fqwg-5wxg-6mp3: The Forms Authentication feature in the ASP
ghsa_unreviewed·2022-05-13
CVE-2011-3416 [HIGH] GHSA-fqwg-5wxg-6mp3: The Forms Authentication feature in the ASP
The Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote authenticated users to obtain access to arbitrary user accounts via a crafted username, aka "ASP.Net Forms Authentication Bypass Vulnerability."
Suricata
ET WEB_SERVER ASP.NET Forms Authentication Bypass
suricata·2012-01-03
CVE-2011-3416 ET WEB_SERVER ASP.NET Forms Authentication Bypass
ET WEB_SERVER ASP.NET Forms Authentication Bypass
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:established,to_server; http.uri; content:"/CreatingUserAccounts.aspx"; fast_pattern; http.request_body; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:7; metadata:created_at 2012_01_03, cve CVE_2011_3416, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Pub
No public exploits indexed.
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA11-347A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-100https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14363http://www.us-cert.gov/cas/techalerts/TA11-347A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-100https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14363
2011-12-30
Published