There is an oracle-type attack publicly released that can allow downloading of web configuration files. If your sites use web resources/script resources (i.e. if you have a pretty standard ASP.NET setup almost certainly they will) and your pages return different headers and/or content depending on the validity of the request your sites will be exposed. The workaround at the moment is to return content/headers that are the same no matter the request. More info on the workaround here: http://weblogs.asp.net/scottgu/archi...erability.aspx.
Happy coding