Microsoft has released a patch that is meant to help protect against
a reported vulnerability in ASP.NET. It's recommended that ASP.NET
users either install the patch or implement the previously-published
workaround to prevent unauthorized Web site visitors from viewing
Microsoft is continuing to investigate a reported vulnerability in Microsoft ASP.NET.
Reports have indicated that an attacker could send specially crafted requests to a Web
server running ASP.NET applications and bypass forms based authentication or Windows
authorization configurations, and potentially view secured content without providing
the proper credentials. Our initial investigation has revealed that all versions of
ASP.NET could be affected, independent of the installed IIS version or IIS components.
Microsoft strongly advises, as a preventative measure, that all Web content owners and
administrators who are running any version of ASP.NET immediately read and implement
one of the suggestions made in the Microsoft Knowledge Base articles listed on
With the release of this patch, there are currently two different fixes available:
a workaround and the patch.
The workaround consists of code that, while quite simple, needs to be added to every
application's Global.asax file.
This can be troublesome to implement and does not prevent the problem in future applications.
Therefore, unless you have a specific reason to choose the workaround route, I'd recommend
using the patch.
The patch is available as a free download from Microsoft's site.
It's basically just an HTTP module called ValidatePath which is distributed as
an .msi package. It installs quickly and easily without requiring a
reboot or web server restart and I've yet to hear of anyone having any problems with it.
You can find more information about the vulnerability and the different approaches
to eliminating it from the links below: