Reported Security Vulnerability in ASP.NET

Microsoft is currently investigating a reported vulnerability in Microsoft ASP.NET. An attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This reported vulnerability exists in ASP.NET and does not affect ASP.

This issue affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003.

The underlying issue is that ASP.NET is failing to perform proper canonicalization of some URLs. Microsoft Knowledge Base (KB) article 887459, “Programmatically Checking for Canonicalization Issues with ASP.NET,” describes how to add additional safeguards to an ASP.NET application to help protect against common canonicalization issues, such as those related to this reported vulnerability.

The ASP.NET Team has confirmed that all versions of ASP.NET on all operating systems may be susceptible to this potential exploit. They strongly recommend you apply the following code to the Global.asax for each of your applications.

Global.asax code sample (Visual Basic .NET)

Sub Application_BeginRequest(Sender as Object, E as EventArgs)
    If (Request.Path.IndexOf(chr(92)) >= 0 OR _
        System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
        Throw New HttpException(404, "Not Found")
    End If
End Sub

Global.asax code sample (C#)

void Application_BeginRequest(object source, EventArgs e) {
    if (Request.Path.IndexOf('\\') >= 0 ||
        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
        throw new HttpException(404, "not found");

The ASP.NET team is continuing to work on this problem and will post more information once it becomes available to