I was really surprised to discover this bug a couple of days back while working on an ASP.Net 2.0 web site.
I spent several hours barking up the wrong code tree since I was convinced it had to do with some recent code changes I made.
But as it turns out this problem is as old as the server itself and for some reason has not been fixed by any .Net patches.
The jist of it is that if you encounter .net exceptions that only happen on your server with certain types of traffic ( examples: google bot, yahoo bot and some other esteemed visitors), you might be the victim of an annoying bug that has existed, as far as I could tell, for a couple of years and has not been fixed till date.
The telltale signs would be server exceptions that look like ->
Exception of type 'System.Web.HttpUnhandledException' was thrown.
Stack trace: at System.Web.UI.Page.HandleError(Exception e)
And inner exception type ->
System.Web.HttpException: Cannot use a leading .. to exit above the top directory. at System.Web.Util.UrlPath.ReduceVirtualPath(String path)
As it turns out this bug has to do with .Net 2.0 browser detection bug and can be fixed by adding a browser definition file to correct the problem.
You can also reproduce and test the browser detection bug here.
Note that this bug often occurs when you use url rewriting on your server.