Has anyone noticed that Microsoft is willing to admit to that “a bug in ASP.NET canonicalization exists”, but refuses to divulge any more information?  Considering that the information is easily available and being distributed by bloggers between themselves, you should have all of the information at your fingertips to protect yourself.

Basically, the bug involves subverting Windows or Forms authentication by modifying your URL slightly.  By replacing traditional URL slashes with backslashes, you can fool ASP.NET into serving files that should be protected.

Note that you’ll need to use Firefox to check out some parts of this bug, since IE automatically replaces DOS-style slashes with URL-style slashes in the address bar.

The original message is here on NTBugTraq.  Don’t let Microsoft keep the important security information away from you!

Note: there are alternate ways to exploit this bug by using the URL-encoded version of a slash to subvert the URL scanner.  The one described above is the easiest attack to implement.  I’ll post more information here as I discover it.

Read full post