Microsoft announced a serious security vulnerability in ASP.NET that allows an attacker to gain unauthorized access to files within your web site, including the web.config file which can contain sensitive information such as database login.
You can review the technical details of this vulnerability on Scott Guthrie’s blog:
- Important: ASP.NET Security Vulnerability
- Frequently Asked Questions about the ASP.NET Security Vulnerability
Since Microsoft has not released a patch for this problem, we recommend that our customers do the following:
- Update your web application with the workaround recommended in the above posts and enable <customErrors>
- Encrypt your web.config file as recommended by Scott Guthrie for best practices in this FAQ. We describe how to encrypt your web.config file in this Knowledge Base article.
Microsoft has also created a forum on the ASP.net site to field questions about this security vulnerability.