There is a serious security flaw in asp.net framework, that should be adressed immediately.

This hole was revealed some hours ago by microsoft, see ASP.NET vulnerability, and could allow an attacker to access any file on the website,
including sensitive information (database connection strings, web.config)

Microsoft security advisory
Test script to run on the server to check vulnerabilities

The workaround is rather simple: be sure to set all custom errors to "on" and to a single file

<configuration>       

   <system.web>

      <customErrors mode="On" defaultRedirect="~/error.html" />

   </system.web>       

</configuration>

read more about the workaround

btw, i took the occasion to check that all my connection strings are encrypted on the production server...
easy to do with aspnet-regiis.exe

-- Concrete example of encrypting the Web.config file for a particular website...
aspnet_regiis.exe -pef "connectionStrings" "C:\Inetpub\wwwroot\MySite" –prov "DataProtectionConfigurationProvider"

More info about encrypting connection strings

A great post with More information about the flaw, including a demo of a possible attack

Of course, i immediately patched my client's websites...