Microsoft .NET Framework contains a vulnerability that could allow an unauthenticated, remote attacker to bypass certain security features of ASP.NET. An exploit could allow the attacker to access information that normally requires authorization.
The vulnerability is due to security vulnerabilities in two .NET functions. An attacker could exploit the vulnerability by creating HTML on an affected system that makes a malicious call to one of these functions, or by finding a page that passes attacker-supplied data to one of these functions directly. A successful exploit would provide the attacker with the contents of pages within the website. Such pages may contain sensitive information that could be leveraged to perform additional attacks against the system.
Proof-of-concept code is available to demonstrate the retrieval of arbitrary web pages.
Microsoft confirmed the vulnerability in a security bulletin and released software updates.