Hear me now… There is a flaw in the way ASP.NET parses the path to a secure folder. Apparently it only happens with non IE browsers, but what does that matter? A user can see aspx pages in folders that are supposed to be secure.
This is a major flaw and you should update you website immediately if you are using ASP.NET security.
Read this security bulletin.
Add this code to your Global.asax.
Code sample
The following samples demonstrate how to add an Application_BeginRequest event handler to a Global.asax file. The event handler helps protect against invalid characters and malformed URLs by performing path verifications to help protect against common canonicalization issues.
Global.asax code sample (Visual Basic .NET)
<script language="vb" runat="server">
Sub Application_BeginRequest(Sender as Object, E as EventArgs)
If (Request.Path.IndexOf(chr(92)) >= 0 OR _
System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then
Throw New HttpException(404, "Not Found")
End If
End Sub
</script>
Global.asax code sample ( C#)
<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
if (Request.Path.IndexOf('\\') >= 0 ||
System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
throw new HttpException(404, "not found");
}
}
</script>