UrlAuthorization vulnerability in ASP.NET

A serious vulnerability issue that affects ASP.NET was recently discovered.

There’s a bug in ASP.NET’s canonicalization process which can allow an attacker to slip past the UrlAuthorizationModule by using a backslash instead of a forword slash.

For example, an unauthorized attacked might be able to access a secured directory using the following URL (notice the ‘\’ between “something” and “secure”:

https://www.ekampf.com/something\secure/securedPage.aspx

Apperantly this isn’t reproducable in Windows2003 (the built-in URLScan capability is fixing the URL before it gets to ASP.NET) but earlier platforms are still vulnerable.

Microsoft has posted an article detailing steps that you can take to protect yourself in the meantime, while they work on a patch.