locked
Is it mandatory to revert the work arounds after patch install? RRS feed

  • Question

  • User220959680 posted

    Hi there,

    ASP.NET application should have custom exception page showing some meaningful message.

    As Scott suggested http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx it is required to use .html page for errors page to redirect to a single page regard less of the exception. This applies to .NET 1.1 to 3.5. Where as .NET 3.5SP1 and 4.0 versions can have .aspx page as custom error page.

    Now the security updates to address the security vulnerability have been installed and servers rebooted. I think that it is important to revert the work arounds(as above) in case the custom error web page is written in HTML (where .NET 1.0/1.1/2.0, 3.0, 3.5 are used) other wise incase custom exception page is written in .aspx it can be kept as it is. Because .aspx pages can inherit Master page, where as HTML pages  can not inherit Master pages.

    As I have .NET 3.5SP1 and using .aspx page after installing suggested security updates, I do not think that it is required to update anything to address recent security vulnerability.

    Please correct me on this.

    Thanks,

    Monday, October 4, 2010 10:03 AM

Answers

  • User-158764254 posted

    According to Scott Gu, the work-arounds that you had implemented with the custom error page would not be required once the official patch has been installed.

    http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx

    Friday, October 01, 2010 5:05 PM by ScottGu

    @Keith,

    >>>>>>>> Good work. Once the patch is installed I presume we can go back to using our previous error page(s)?

    Yes - once the patch is installed you can go back to using the same error page approach you had before the security issue appeared.

    Hope this helps,

    Scott

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 4, 2010 6:36 PM

All replies

  • User-158764254 posted

    According to Scott Gu, the work-arounds that you had implemented with the custom error page would not be required once the official patch has been installed.

    http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx

    Friday, October 01, 2010 5:05 PM by ScottGu

    @Keith,

    >>>>>>>> Good work. Once the patch is installed I presume we can go back to using our previous error page(s)?

    Yes - once the patch is installed you can go back to using the same error page approach you had before the security issue appeared.

    Hope this helps,

    Scott

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 4, 2010 6:36 PM
  • User220959680 posted

    According to Scott Gu, the work-arounds that you had implemented with the custom error page would not be required once the official patch has been installed.
     

     

    Thanks Mike.

    Having custom exception page to show user friendly message is important, so I think that the custom exception page where .aspx is used should be kept, aspx pages can inherit Master page to provide same look and feel. This applies to .NET 3.5SP and 4.0

    Where as for versions 1.0/1.1/2.0/3.0/3.5 the work around was to use .HTML page as custom exceptions page. As the HTML page can not inherit Master page as .ASPX pages, the work arounds should be reverted. Incase the custom exception page is aspx page with 3.5SP and 4.0 they can stay.

    Please correct me if i'm incorrect.

     

    Tuesday, October 5, 2010 3:56 AM
  • User-234406897 posted

    I am not sure of why you want the workarounds to still be in place they are not needed anymore.

    It is fine to keep them but they are not needed.



    Thursday, October 7, 2010 1:36 PM