ANOTHER UPDATE: Sitecore released a fix last Friday on SDN.
UPDATE: A FAQ that details more about the workaround and the vulnerability was released on Sep 20.
Yes. You read that right. Essentially, by doing some queries on the server that has an ASP.NET-based Website/app, a hacker can eventually figure out how to download restricted files like web.config and even be able to determine the server’s cipher text and decrypt your site’s Viewstate or other encrypted data you may have.
I’m posting this here because Sitecore is obviously ASP.NET-based. So, here’s the post form Scott Guthrie on the workaround and more information about the vulnerability. Spread it around and let’s make sure our community is safe and keep Sitecore’s integrity intact (even though this is not even about Sitecore). You know how that works : ).