Dela via


Web Applications using Claims authentication require an update (SharePoint Server)

APPLIES TO: yes-img-132013 yes-img-162016 yes-img-192019 yes-img-seSubscription Edition no-img-sopSharePoint in Microsoft 365

Rule Name: Web Applications using Claims authentication require an update.

Event ID: None

Summary: Web applications that use claims-based authentication are at risk for a potential security vulnerability that might allow users to elevate privileges. Web servers that host Web applications that use claims-based authentication are potentially vulnerable.

Cause: This can happen when you deploy a Microsoft ASP.NET 2.0-based Web application to a Web site that is hosted on a server running SharePoint Server and you have Internet Information Services (IIS) 7.0 or IIS 7.5 running in Integrated mode on the server.

If you deploy partially trusted Web Parts or create external lists on the SharePoint site, these Web Parts or external lists can have more permissions than they should have. This issue might create a security risk on the SharePoint site. For example, these Web Parts or external lists may unexpectedly generate database requests or HTTP requests.

This issue occurs because of a change in the ASP.NET 2.0 authentication component. The change causes the partially trusted Web Parts or external lists to impersonate the application pool account. Therefore, the Web Parts have full permission to access the SharePoint site.

Resolution: Install the update