New ASP.NET vulnerability
Wednesday, October 06, 2004 10:29 AM
Microsoft just published some information about a new ASP.NET vulnerability. According to the web page, an attacker could exploit this vulnerability to view secured content on a server without providing the proper credentials. This issue affects any version of ASP.NET.
At the moment, Microsoft recommends implementing the suggestion made in KB article 887459 ("Programmatically Checking for Canonicalization Issues with ASP.NET"). The article provides C# and VB.NET code samples. If you're using Delphi 8, open the Global.pas file and edit the Application_BeginRequest method:
procedure TGlobal.Application_BeginRequest(sender: System.Object; e: EventArgs);
if (Request.Path.IndexOf('\') >= 0) or
(System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
raise HttpException.Create(404, 'not found');
Make sure you add System.IO to your uses clause to compile the code.