Microsoft KB Archive/887219

= MS05-004: ASP.NET path validation vulnerability could allow unauthorized access =

Article ID: 887219

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft .NET Framework 1.0 Service Pack 2
 * Microsoft .NET Framework 1.0 Service Pack 3
 * Microsoft .NET Framework 1.1
 * Microsoft .NET Framework 1.1 Service Pack 1

-



Technical updates

 * June 14, 2005 After the release of this bulletin, it was determined that the update for the Microsoft .NET Framework 1.0 Service Pack 3 for the Microsoft Windows XP Tablet PC Edition operating system and the Microsoft Windows XP Media Center Edition operating system were failing to install when the update was distributed via SMS or AutoUpdate. The updated package corrects this behavior.
 * August 8, 2006 After the release of this bulletin, it was determined that the vulnerability also affects the Itanium-based versions of the Microsoft Windows Server 2003 operating systems, .NET Framework 1.1 Service Pack 1 for the 64-bit versions of the Microsoft Windows Server 2003 operating systems, and Windows XP Professional x64 Edition. Microsoft has updated the security bulletin MS05-004 with additional information about these operating systems in the “Affected Software” section.



Microsoft has re-released security bulletin MS05-004. The security bulletin contains all the relevant information about the security update, including file manifest information and deployment options. To view the complete security bulletin, visit the following Microsoft Web site:  Home users:

http://www.microsoft.com/protect/computer/updates/bulletins/default.mspx

 IT professionals:

http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx



For more information about the ASP.NET performance impact after you install security update MS05-004, click the following article numbers to view the articles in the Microsoft Knowledge Base:

891829 ASP.NET performance may be affected after you install security update MS05-004

894670 You may receive error messages when you browse or try to debug an ASP.NET application after you install security update 887219 (MS05-004)

For more information about how to troubleshoot Microsoft .NET Framework 1.1 installation issues, click the following article number to view the article in the Microsoft Knowledge Base:

824643 How to troubleshoot Microsoft .NET Framework 1.1 installation issues

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

268800 Windows Installer must have original source files when you apply a patch

For more information about an HTTP module to check for canonicalization issues with ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:

887289 HTTP module to check for canonicalization issues with ASP.NET

For more information about how to use the ASP.NET ValidatePath Module Scanner, click the following article number to view the article in the Microsoft Knowledge Base:

887290 How to use the ASP.NET ValidatePath Module Scanner (VPModuleScanner.js)



MORE INFORMATION
The MS05-004 security update that you install depends of the configuration of your computer. The following is a list of the different MS05-004 updates by operating system.

Security update 886906
Security update 886906 is for the Microsoft .NET Framework 1.0 Service Pack 3 for the following operating systems:
 * Microsoft Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4
 * Windows XP Service Pack 1 or Windows XP Service Pack 2
 * Windows Server 2003, Windows Server 2003 Service Pack 1, or Windows Server 2003 Service Pack 2
 * Windows Server 2003 x64 Edition or Windows Server 2003 x64 Edition Service Pack 2
 * Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with Service Pack1 for Itanium-based Systems, or Windows Server 2003 with Service Pack 2 for Itanium-based Systems
 * Windows Vista

Security update 887998
Security update 887998 is for the .NET Framework 1.0 Service Pack 3 for the following operating systems:
 * Windows XP Tablet PC Edition
 * Windows XP Media Center Edition

Security update 886905
Security update 886905 is for the .NET Framework 1.0 Service Pack 2 for the following operating systems:
 * Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4
 * Windows XP Service Pack 1 or Windows XP Service Pack 2
 * Windows Server 2003, Windows Server 2003 Service Pack 1, or Windows Server 2003 Service Pack 2
 * Windows Server 2003 x64 Edition or Windows Server 2003 x64 Edition Service Pack 2
 * Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with Service Pack 1 for Itanium-based Systems, or Windows Server 2003 with Service Pack 2 for Itanium-based Systems

Security update 887999
Security update 887999 is for the .NET Framework 1.0 Service Pack 2 for the following operating systems:
 * Windows XP Tablet PC Edition
 * Windows XP Media Center Edition

Security update 886903
Security update 886903 is for the .NET Framework 1.1 Service Pack 1 for the following operating systems:
 * Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4
 * Windows XP Service Pack 1 or Windows XP Service Pack 2
 * Windows XP Tablet PC Edition
 * Windows XP Media Center Edition
 * Windows XP Professional x64 Edition or Windows XP Professional x64 Edition Service Pack 2
 * Windows Server 2003, Windows Server 2003 Service Pack 1, or Windows Server 2003 Service Pack 2
 * Windows Server 2003 x64 Edition or Windows Server 2003 x64 Edition Service Pack 2
 * Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with Service Pack 1 for Itanium-based Systems, or Windows Server 2003 with Service Pack 2 for Itanium-based Systems

Security update 886904
Security update 886904 is for the .NET Framework 1.1 for the following operating systems:
 * Windows 2000 Service Pack 3 or Windows 2000 Service Pack 4
 * Windows XP Service Pack 1 or Windows XP Service Pack 2
 * Windows XP Tablet PC Edition
 * Windows XP Media Center Edition
 * Windows Server 2003, Windows Server 2003 Service Pack 1, or Windows Server 2003 Service Pack 2
 * Windows Server 2003 x64 Edition or Windows Server 2003 x64 Edition Service Pack 2
 * Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with Service Pack 1 for Itanium-based Systems, or Windows Server 2003 with Service Pack 2 for Itanium-based Systems

Additional query words: update security_patch security_update security bug flaw vulnerability malicious attacker exploit canonicalization

Keywords: kbfix kbbug kbsecvulnerability kbsecurity kbsecbulletin KB887219

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.