The security bug in .Net Forms Authentication, first report on the NT-BugTraq mailing list, is available for ASP.NET 1.0 (RTM, SP1, SP2, SP3) and ASP.NET 1.1 (RTM, SP1).
When Form Authentication is used, anonymous users are in trying access to protected pages such as http: //localhost/webapplication2/secret.aspx, will be used by redirect to login web, such as http: //localhost/webapplication2/login.aspx? ReturnURL = % 2FwebApplication2% 2fsecret.aspx.
But if you use Mozilla, anonymous users can access the protected page without authentication: http://localhost/webapplication2/secret.aspx; for IE, you can use% 5c to achieve similar effects: http: // localhost / WebApplication2 % 5csecret.aspx
Microsoft released WHATED VULNERABILITY IN Microsoft ASP.NET web pages on October 5 to provide countermeasures for this security vulnerability. The current countermeasure is mainly in the application_beginRequest in the application_beginRequest as described in the Global.asax or its code-behind as described in KB887459.
IF (Request.Path.indexOf ('//')> = 0 || system.io.path.getFullPath (Request.PhysicalPath)! = Request.PhysicalPath) {throw new httpexception (404, "not found");}
Obviously each Application requires such an inspection to take this security vulnerability. Microsoft will also provide other strategies, please pay attention to What You Should Know About A Reported VulneRability In Microsoft ASP.NET web page update.
For the ASP.NET 2.0 Beta1, there is no vulnerability to get 404 errors.
