Microsoft reported a security flaw that could allow an attacker to
enter a specially crafted URL in that way bypassing any form of
authentication and access secured content.
Microsoft has already released a patch and offers a programmatic
solution to the problem.
They can be found here (either one of them is enough):
Microsoft ASP.NET ValidatePath module (VPModule.msi)
Programmatically Check for Canonicalization Issues with ASP.NET
The full security article can be found here: What You Should Know
About a Reported Vulnerability in Microsoft ASP.NET