cbcvebase.
CVE-2004-0847
published 2004-11-03

CVE-2004-0847: The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.70%
99.5th percentile
The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftasp.net<= 1.1
microsoftasp.net

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/secureDirectory\somefile.aspx
urlhttp://www.example.com/secureDirectory%5Csomefile.aspx
  • Detect requests to .aspx files in restricted/secured directories containing a literal backslash '\' in the URI path, which bypasses ASP.NET Forms Authentication.
  • Detect requests to .aspx files in restricted/secured directories containing the URL-encoded backslash '%5C' in the URI path, which bypasses ASP.NET Forms Authentication.
  • Monitor for URI patterns matching '<secureDirectory>\<filename>.aspx' or '<secureDirectory>%5C<filename>.aspx' in web server access logs targeting ASP.NET 1.x applications.
  • ·The bypass specifically targets the Microsoft .NET Forms Authentication capability for ASP.NET; only .aspx files in directories protected by Forms Authentication are affected.
  • ·The two attack vectors behave differently across browsers: the literal backslash '\' variant is effective via Mozilla-based browsers, while the '%5C' encoded variant is effective via Microsoft Internet Explorer.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.