Home | Shorter Path | About Me
Home
About Me

Archive

2004

01

02

03

04

05

06

07

08

09

10

11

12

 

2005

01

02

03

04

05

06

07

08

09

10

11

12

 

2006

01

02

03

04

05

06

07

08

09

10

11

12


New ASP.NET vulnerability

Wednesday, October 06, 2004 10:29 AM

Microsoft just published some information about a new ASP.NET vulnerability. According to the web page, an attacker could exploit this vulnerability to view secured content on a server without providing the proper credentials. This issue affects any version of ASP.NET.

At the moment, Microsoft recommends implementing the suggestion made in KB article 887459 ("Programmatically Checking for Canonicalization Issues with ASP.NET"). The article provides C# and VB.NET code samples. If you're using Delphi 8, open the Global.pas file and edit the Application_BeginRequest method:

procedure TGlobal.Application_BeginRequest(sender: System.Object; e: EventArgs);
begin
  if (Request.Path.IndexOf('\') >= 0) or
    (System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
    raise HttpException.Create(404, 'not found');
end;

Make sure you add System.IO to your uses clause to compile the code.

Copyright 2004 Yorai Aminov