A security flaw in Microsoft’s ASP.NET technology could allow intruders to enter password-protected areas of a web site by altering a URL. A fix is not yet available, but Microsoft is offfering guidelines to help ASP.NET users secure their sites against intrusion attempts. The flaw exists only in ASP.NET, not ASP (Active Server Pages).
Microsoft reported: “This issue affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003.” Netcraft data finds that ASP.NET is currently on over 2.9 million active sites.
The security hole involves a bug in ASP.NET's handling of URLs, known as "canonicalization." If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass password login screens. The technique may also work if a space is subsituted for the slash. Security researchers say the bug operates differently in Mozilla browsers and Internet Explorer. It also apparently allows authenticated users to bypass password protection on administrative areas of a site.
Earlier this year, the handling of URLs was at the heart of a security flaw in Internet Explorer that allowed phishing scams to more easily spoof web pages. While that flaw was tied to the IE browser's handling of URLs, the new flaw exploits a weakness in the way ASP.NET handles URLs in requests to the web server.
ASP.NET is a programming framework that can be used on a server to build web applications, and serves as a successor to ASP. Microsoft presents ASP.NET as offering numerous advantages over other development platforms, including improvements in performance and scalability.