Plip's Weblog

A note from the Microsoft ASP.NET Team:

This alert is to advise you of the availability of a web page that discusses an investigation Microsoft is currently conducting into public reports of a security vulnerability in ASP.NET.  A malicious user could provide a specially-formed URL that could result in the unintended serving of secured content. 

This alert is also to advise you of the availability of a new Microsoft Knowledge Base article: 887459.  This article contains prescriptive guidance with steps customers can implement on their ASP.NET applications to help protect against a wide variety of malformed URL attacks.

Microsoft is providing this prescriptive guidance in order to inform customers as quickly as possible about the vulnerability and information on how to prevent an attack.  Microsoft is actively investigating this issue and plans to release additional guidance and a security update to remedy the issue as soon as possible.

The Microsoft Knowledge Base article can be viewed here:

http://support.microsoft.com/?kbid=887459

<script language="vb" runat="server"> Sub Application_BeginRequest(Sender as Object, E as EventArgs) If (Request.Path.IndexOf(chr(92)) >= 0 OR _ System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then Throw New HttpException(404, "Not Found") End If End Sub </script> 

<script language="C#" runat="server"> void Application_BeginRequest(object source, EventArgs e) { if (Request.Path.IndexOf('\\') >= 0 || System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) { throw new HttpException(404, "not found"); } } </script> 

The web page that discusses the current investigation into the public reports of a vulnerability in ASP.Net can be viewed here:

http://www.microsoft.com/security/incident/aspnet.mspx

If you have any questions, please see the discussion in the ASP.NET Security Forums at:

http://www.asp.net/Forums/ShowForum.aspx?tabindex=1&ForumID=25