Vulnerability Note VU#283646

Microsoft ASP.NET fails to perform proper canonicalization

Original Release date: 08 Feb 2005 | Last revised: 16 Oct 2007


Microsoft ASP.NET contains a canonicalization vulnerability that may allow a remote unauthenticated attacker to gain access to secure contents.


Microsoft ASP.NET is a programming framework for creating web applications. The canonicalization routine used by ASP.NET fails to correctly parse URLs.


Depending on the contents of the web site, an attacker may take a variety of actions. For example, a remote unauthenticated attacker may be able to access secure web site contents by using a specially crafted URL.


Install an update

Install an update, as specified by MS05-004.


Microsoft includes the following workarounds in MS05-004:

  • Install an HTTP module to check for canonicalization issues as described in Microsoft Knowledge Base article 87289.
  • Test for canonicalization issues with ASP.NET as described in Microsoft Knowledge Base article 887459.
  • Install and use URLScan.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AvayaAffected-17 Feb 2005
Microsoft CorporationAffected-08 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was publicly disclosed by Toby Beaumont.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2004-0847
  • Date Public: 05 Oct 2004
  • Date First Published: 08 Feb 2005
  • Date Last Updated: 16 Oct 2007
  • Severity Metric: 37.97
  • Document Revision: 13


If you have feedback, comments, or additional information about this vulnerability, please send us email.