Update - ASP.NET Vulnerability

This is an update for yesterday - ASP.NET Vulnerability as there's been many developments sicne yesterday. To conclude - this vulnerability apply to every all platforms running any version (as of today) of .NetFramework and using ASP.NET, either via Form or Windows authentication. Though, for IIS5.1 and below you can deploy URLSCAN to filter the '\' or '%5C' illegal requests, however, it is recommended that you apply the workaround stated in the KB 887459, as this is an ASP.NET attack rather than an exploit on IIS server.

Next, so do IIS6 vulnerable? The answer is NO, because IIS6 has better and tighter parsing restriction - here's what I have tested.

With urlscan:
Browsing: http://localhost/test%5Cblabla.aspx
The request was rejected by URLScan - as expected.
Client at xxx.xxx.xxx.xxx: URL contains sequence '\', which is disallowed. Request will be rejected.  Site Instance='1', Raw URL='%5Cblabla.aspx'

Browsing: http://localhost/test\blabla.aspx
The request was NOT rejected by URLScan - Ding !! (Updated 2:30pm (GMT+8), this is due to IE replaced the \ to / hence it's valid - Thanks to Ken Schaefer. However in Mozilla, it will be replaced with %5C)
GET /test/blabla.aspx - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) - - localhost 302 0 0
And it's redirected for to default.aspx for authentication.

Without ulrscan:
Browsing with either '/' or '%5C', you will get:
GET /test/blabla.aspx - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) - - localhost 302 0

Hence, IIS 6 is not vulnerable. But then again you are advise to apply the workaround code in your asp.net app. Next, an interesting fact - both '\' or '%5C' are captured as '/' in the IIS log file (/blabla.aspx), it's quite bad (IMHO), as we never know the orginal request detail.

Note: Tested with IE 6 and Mozilla 1.7