Microsoft reported a security flaw that could allow an attacker to

enter a specially crafted URL in that way bypassing any form of

authentication and access secured content.

Microsoft has already released a patch and offers a programmatic

solution to the problem.

They can be found here (either one of them is enough):

Microsoft ASP.NET ValidatePath module (VPModule.msi)

Programmatically Check for Canonicalization Issues with ASP.NET

The full security article can be found here: What You Should Know

About a Reported Vulnerability in Microsoft ASP.NET