Security Bug in ASP.NET Background A serious security bug has been found in ASP.NET (see Microsoft Knowledge Base article KB887459 - http://support.microsoft.com/?kbid=887459 ) that allows users that are not logged on to access secure content on a Web site. Since this problem affects all Web sites using the default ASP.NET authorisation functions, it also affects EPiServer 4.x. This means that unauthorised Web users can access, change or damage information on your EPiServer Web site. Affected environments This vulnerability has been reported to work on all operating systems pre-Windows 2003 supporting IIS5, including Windows 2000, Small Business Server 2000 and Windows XP (even Windows XP with ServicePack 2 installed). Windows 2003 is not affected in its default configuration. Any system that has the Microsoft URL Scan security tool installed with default configuration is not affected. Problem The URL request to the Web browser can be written with escaped characters. This enables unauthorised users to access secure parts of the Web sites. Strategies to handle the problem The recommended solution is to install the URLScan Security Tool (http://www.microsoft.com/downloads/details.aspx?FamilyID=12244f33-a5da-4203-a3a8-83f4388bb71f&DisplayLang=en). Another option would be to use IP address restrictions in IIS to limit access to the admin and edit folders in EPiServer to local users only. This might not be possible for all kinds of installations, for example if you have a site that editors access from the Internet to edit and create content. If you cannot use URLScan or the IP address restrictions for any reason, we provide a http module that can be installed on any ASP.NET Web site. The file is available from http://www.episerver.com/download/Partnermaterial/ASPNETBugFixKB887459.zip The final option is to wait for a hot-fix from Microsoft – not recommended due to the serious nature of the problem. Questions For any further questions please contact our support at support@ep.se