Recently, Microsoft received information about a vulnerability in ASP.NET. The ASP.NET team has been working hard to confirm and identify the scope of this vulnerability, and Microsoft has posted the following page containing information about the vulnerability:
In addition, the following KB article describes steps you can take to provide additional protection for your applications against canonicalization issues such as the type involved in the vulnerability:
If you are running ASP.NET applications, you should take the time to read over this information, and take necessary steps to protect your applications, in particular the global.asax code described in the KB article. Note also that while it does not completely address this particular vulnerability, tools such as URLScan can provide some protection against certain types of canonicalization issues, and provide an additional layer of protection against malformed URLs.
The advice at http://www.microsoft.com/security/incident/aspnet.mspx has been updated with a new fix for this vulnerability. The new fix, which can be installed using a simple MSI installer, adds an HttpModule at the server level that addresses the vulnerability across all ASP.NET applications on a given machine. If you’re running ASP.NET, or any application that uses ASP.NET, you should install this fix.
There’s a new KB article at http://support.microsoft.com/?kbid=887787 that describes a potential issue you may encounter after you install the HttpModule fix described above, as well as solutions to the issue.