locked
MOSS Fix Not Working? RRS feed

  • Question

  • User885187128 posted

    We made the recommended changes to the web.config, did an IIS reset. Browsing to http://servername/_vti_bin/webresource.axd returns 'An error has occurred on the server. '

    Browsing to a non-existent page returns 'The file '/_layouts/foo.aspx' does not exist.   at System.Web.UI.Util.CheckVirtualFileExists(VirtualPath virtualPath) ...etc.'

    Doesn't seem like the workaround is working...?

     

    Thursday, September 23, 2010 7:46 AM

Answers

  • User541200944 posted

    I got the same error, but if you look at the URL of the page it probably shows "ErrorText=Path%20%27%2F%5Fvti%5Fbin%2Fwebresource%2Eaxd%27%20was%20not%20found%2E".  This is different than what used to display in the URL before I made the change to the web.config.  That means the change was successful.

    As for your other question regarding foo.aspx, another poster said in another thread that the changes that are indicated for other NON-SharePoint apps are not required for SharePoint applications.   I haven't seen an official statement from Microsoft as to whether that is true or not, but user Snelso1's explanation in this thread (http://forums.asp.net/t/1604327.aspx) seems to explain why only the MOSS-specific instructions are applicable. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 23, 2010 9:21 AM

All replies

  • User541200944 posted

    I got the same error, but if you look at the URL of the page it probably shows "ErrorText=Path%20%27%2F%5Fvti%5Fbin%2Fwebresource%2Eaxd%27%20was%20not%20found%2E".  This is different than what used to display in the URL before I made the change to the web.config.  That means the change was successful.

    As for your other question regarding foo.aspx, another poster said in another thread that the changes that are indicated for other NON-SharePoint apps are not required for SharePoint applications.   I haven't seen an official statement from Microsoft as to whether that is true or not, but user Snelso1's explanation in this thread (http://forums.asp.net/t/1604327.aspx) seems to explain why only the MOSS-specific instructions are applicable. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, September 23, 2010 9:21 AM
  • User885187128 posted

    Thanks SPJen, this was the info I was looking for! 

    Thursday, September 23, 2010 10:11 AM
  • User297910464 posted

    My explanation is for SharePoint 2010 and browsing to /pages/foo.aspx versus /_layouts/foo.aspx.  You need to apply all of the instructions as per:  http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx.  In the post he mentions (for 2010):

    "Verifying the workaround:  After applying the workaround, you may not see a change in SharePoint’s error handling behavior.  For example, you will still receive a 404 error if you try to access a page that does not exist – this is unique to the SharePoint workaround and is different from the expected behavior described here. This is by design — the workaround described here specifically protects against the ASP.NET vulnerability in error cases that are not handled by SharePoint." 

     

    That paragraph is what my explanation addresses.  There's different instructions for 2010 and 2007.  His MOSS 2007 instructions seem to ignore the root web.config change -- not sure why, but I don't have a 2007 environment in front of me. 

    Thursday, September 23, 2010 3:31 PM