Microsoft Security Bulletin MS05-004
ASP.NET Path Validation Vulnerability (887219)

Issued: February 8, 2005
Version: 1.0
Summary

Who should read this document: Customers who use Microsoft? Windows? .NET Framework

Impact of Vulnerability: Information Disclosure, possible Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest opportunity.

Security Update Replacement: None.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft .NET Framework 1.0
?Download the update for .NET Framework 1.0 Service Pack 3 for the following operating system versions:
?Windows 2000 Service Pack 3 or Service Pack 4
?Windows XP Service Pack 1 or Windows XP Service Pack 2,
?Windows Server 2003
?Download the update for .NET Framework 1.0 Service Pack 3 for the following operating system versions:
?Windows XP Tablet PC Edition
?Windows XP Media Center Edition
?Download the update for .NET Framework 1.0 Service Pack 2 for the following operating system versions:
?Windows 2000 Service Pack 3 or Service Pack 4
?Windows XP Service Pack 1 or Windows XP Service Pack 2,
?Windows Server 2003
?Download the update for .NET Framework 1.0 Service Pack 2 for the following operating system versions:
?Windows XP Tablet PC Edition
?Windows XP Media Center Edition

Microsoft .NET Framework 1.1
?Download the update for .NET Framework 1.1 Service Pack 1 for the following operating system versions:
?Windows 2000 Service Pack 3 or Service Pack 4
?Windows XP Service Pack 1 or Windows XP Service Pack 2,
?Windows XP Tablet PC Edition
?Windows XP Media Center Edition
?Download the update for .NET Framework 1.1 Service Pack 1 for the following operating system versions:
?Windows Server 2003
?Download the update for .NET Framework 1.1 for the following operating system versions:
?Windows 2000 Service Pack 3 or Service Pack 4
?Windows XP Service Pack 1 or Windows XP Service Pack 2,
?Windows XP Tablet PC Edition
?Windows XP Media Center Edition
?Download the update for .NET Framework 1.1 for the following operating system versions:
?Windows Server 2003

Non-Affected Software:
?None

Affected Components:
?ASP.NET

The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

Executive Summary:

This update resolves a public vulnerability in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access. The vulnerability is documented in the Vulnerability Details section of this bulletin.
An attacker who successfully exploited this vulnerability could gain unauthorized access to parts of a Web site. The actions that the attacker could take would depend on the specific content being protected.

http://www.microsoft.com/technet/security/...n/ms05-004.mspx