K
Ken Cox [Microsoft MVP]
"Microsoft has posted guidance that protects against a reported
vulnerability in all versions of ASP.NET that could allow a Web site visitor
to view secured content by using specially crafted requests to a Web server.
"
Here's a suggested fix:
Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <>
Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub
</script>
Global.asax code sample ( C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) !=
Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>
For more information visit here.
http://www.microsoft.com/security/incident/aspnet.mspx
vulnerability in all versions of ASP.NET that could allow a Web site visitor
to view secured content by using specially crafted requests to a Web server.
"
Here's a suggested fix:
Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <>
Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub
</script>
Global.asax code sample ( C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) !=
Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>
For more information visit here.
http://www.microsoft.com/security/incident/aspnet.mspx