Urs Eichmann

**Name of the Vulnerable Software and Affected Versions** Microsoft .NET framework 2.0 (ASP.NET) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1 **Description** This issue allows remote attackers to bypass access restrictions via unspecified "URL paths" that can access Application Folder objects explicitly by name. It could allow an attacker to bypass ASP.Net security and gain unauthorized access to objects in the Application folders, potentially producing useful information to further compromise the affected system. Note that this issue would not allow an attacker to execute code or to elevate their user rights directly. **Recommendations** For Microsoft .NET framework 2.0 (ASP.NET) in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, consider restricting access to Application Folder objects to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.