I haven't posted about this, because I haven't had time to read much about it lately, but I finally got the time to look at this, and the fix is pretty simple.

I didn't look at it yet because our project hasn't deployed yet, but I will need to incorporate this into Tourney Logic's software too!

Anyway, I'll give credit to Robert McLaws, since I saw his fix first.

For those who don't like clicking, here's the C# code you need. Just add it to your global.asax file.

<script language="C#" runat="server">
void Application_BeginRequest(object source, EventArgs e) {
  if (Request.Path.IndexOf('\\') >= 0 || System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
    throw new HttpException(404, "not found");
  }
}
</script>