October 7, 2004 -- (WEB HOST INDUSTRY REVIEW) -- According to research and analysis firm Netcraft (netcraft.com), a security flaw in Microsoft?s ASP.NET technology potentially allows intruders to enter password-protected areas of a Web site by altering the URL.
Affects all versions of ASP.NET on Windows 2000, Windows 2000 Server, Windows XP Professional and Windows Server 2003, the flaw involves ASP.NET's handling of URLs, known as "canonicalization." If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they could bypass password login screens. The technique may also work if a space is substituted for the slash.
Netcraft said the flaw operates differently in Internet Explorer and Mozilla browsers.
A patch for the flaw, the report said, is not yet available, but Microsoft has published guidelines to help ASP.NET users secure their Web sites from intrusion.
According to Netcraft data, over 2.9 million active sites run ASP.NET, a number that has been steadily climbing over the last year.
