After some experimenting – i could also reproduce the same behaviour with Windows Authentication.

So the bug is not in Forms Authentication, it is a canonicalization error in the UrlAuthorization Module of ASP.NET.

The reason why Windows 2003 is not affected is, because of the built-in URL normalization in IIS6 – so the encoded URL never reaches the CLR. You can get the same result on Windows XP and Windows 2000 which are vulnerable (regardless the .NET Service Pack) by installing URLScan (considered best-practice on these platforms anyway). So do it!

UPDATE
Duncan Godwin posted a small HttpModule to the DevelopMentor DOTNET-WEB list which filters out those specific characters. works as a short term solution if you can’t use URLScan or upgrade to IIS6