Old bugs in new software. Successful proof of concept!

(Viejos agujeros en el nuevo software. Prueba de concepto exitosa!)

While I'm reading blogs I've found the proof of concept of the bug in canonicalization of the URLs.

In my machine the bug works so it's time to patch it with the method 2

A standard forms authentication setup requires the presence of "web.config" to set the authentication method and login procedure. The presence of this file prevents access to certain files (.aspx files for example) unless authenticated.
Put in web.config

<authentication mode="Forms">
<forms name=".FORM" loginurl="login.aspx">
</authentication>

--- Example ---
The webroot for your website is:
c:\inetpub\wwwroot\mysite
You want to secure files in a sub directory "secure"
c:\inetpub\wwwroot\mysite\secure\web.config
A request to http://localhost/secure/somefile.aspx would then redirect the user to a predefined authentication page(login.aspx), as defined in web.config, before allowing the user access to "somefile.aspx".

--- Bug ---
1. Using Mozilla not IE, you make a request to http://localhost/secure\somefile.aspx The use of a backslash rather than a forward slash appears to bypass the expected authentication model invoked in .NET forms authentication
2. Using IE, you make a request to http://localhost/secure\somefile.aspx - IE automatically replaces the backslash "\" with a forward slash "/" and everything appears fine. However, replace the backslash "\" with %5C (%5C being hex value for \) and all is not so fine:
http://localhost/secure%5Csomefile.aspx

Permalink: Old bugs in new software. Successful proof of concept!