Hi Karl,
This has been talked about pretty extensively in this newsgroup. Here is
the code I wrote to fix the problem programatically for developers who can't
install URLScan or IIS Lockdown or who use a 3rd party host without those
installed. The code below goes in the Global.asax file and fixes the
problem. Good luck! Ken.
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Dim rPath As String = Request.RawUrl
rPath = rPath.Replace("\", "/")
Context.RewritePath(rPath)
End Sub
--
Ken Dopierala Jr.
For great ASP.Net web hosting try:
http://www.webhost4life.com/default.asp?refid=Spinlight
If you sign up under me and need help, email me.
"Karl" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME net> wrote in
message news:%2****************@TK2MSFTNGP15.phx.gbl...
I realize there's an *.announce list for this sort of thing, but I imagine
a lot of people are like me and spend most of there time here, and seeing as
this is serious news, I thought I'd post:
A [major] security hole in authentication (forms, windows) has been found
to asp.net applications installed on machines running IIS 5.0 without URLScan
or IIS Lockdown Tool installed. You can learn more from:
http://weblogs.asp.net/ksamaschke/ar...02/237042.aspx
(note, the post only talks about forms authentication, but its been found
to affect windows authentication as well)
Karl
--
MY ASP.Net tutorials
http://www.openmymind.net/