What You Should Know About a Reported Vulnerability in Microsoft ASP.NET
Published: October 5, 2004 | Updated: October 7, 2004
Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET. Reports have indicated that an attacker could send specially crafted requests to a Web server running ASP.NET applications and bypass forms based authentication or Windows authorization configurations, and potentially view secured content without providing the proper credentials. Our initial investigation has revealed that all versions of ASP.NET could be affected, independent of the installed IIS version or IIS components.
Microsoft strongly advises, as a preventative measure, that all Web content owners and administrators who are running any version of ASP.NET immediately read and implement one of the suggestions made in the Microsoft Knowledge Base articles listed on this page.
Note This page was updated October 7, 2004, to include information about a newly released mitigation option, an HTTP module installer. This module protects all ASP.NET applications on a Web server against canonicalization problems that are currently known to Microsoft as of the publication date. We will continue to update this page as additional guidance and resources become available.
Guidance for Web Site Administrators
Microsoft has released an HTTP module that Web site administrators can apply to their Web server that will protect all ASP.NET applications on the server against URL canonicalization problems known to Microsoft as of the publication date. This module, as well as detailed guidance and deployment information, is available from the Microsoft Download Center.
Microsoft ASP.NET ValidatePath module (VPModule.msi)
For additional guidance on how to install and deploy this module to help protect your servers, see Microsoft Knowledge Base Article 887289, "HTTP Module to Check for Canonicalization Issues with ASP.NET"
Guidance for ASP.NET Developers
Note If you install the HTTP module, this guidance is not necessary.
Microsoft recommends that Web site owners and developers implement the suggestions made in Microsoft Knowledge Base Article 887459, Programmatically Check for Canonicalization Issues with ASP.NET to mitigate this issue. Applying the article's guidance to your ASP.NET application will protect the application against URL canonicalization problems known to Microsoft as of the publication date.
In addition to this guidance, which will help protect customers against this type of security issue, Microsoft is working to provide a security update to ASP.NET that will provide additional protection for customers. We will release the update once it has reached an appropriate level of quality for deployment.
Technical Assistance
If you believe you are affected by this potential issue, contact Microsoft Product Support Services for assistance.
For no-charge security update and virus-related support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).
For worldwide support, contact your local Microsoft office.
Develop a Security Strategy
Get the prescriptive technical guidance, tools, training, and updates you need to plan and manage a security strategy that is right for your organization.