locked
asp.net valnuribility - change of customErrors section RRS feed

  • Question

  • User-706647060 posted

    hi !

    I have implemented all insturictuons on scott guthrie's blog for the asp.net valnuribility.

    here the link;

    http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

    but for 404 error I am stille getting the below page;


    Server Error in '/' Application.

    The resource cannot be found.

    Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly. 

    Requested URL: /edew.aspx


    I tired it with other application and it worked fine but in one app. it is not working properly.


    here the code of custom error section;


    <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />

    why do you think it is not working ?

    Wednesday, September 22, 2010 9:56 AM

Answers

All replies

  • User-1460196090 posted

    Emm, try adding smth like this:

           <customErrors mode="On" redirectMode="ResponseRewrite">      
                <error statusCode="404" redirect="~/error.aspx" />
            </customErrors>

    hmm.. what else, maybe IIS setting?

    Read this: http://forums.iis.net/p/1160614/1915691.aspx


    Hope this helps.

    Wednesday, September 22, 2010 10:55 AM
  • User1459398585 posted
    1. You are running an MVC app that uses a controller / route to return the error page (IE /ErrorController/ErrorAction). RequestRewrite doesn't appear to work in this scenario as the Server.Transfer method that happens behind the scenes somehow skips the routing pipeline, thus it can't FIND the error page and returns a 404.

    2. Your error page, or it's master page, uses session perhaps? Server.Transfer, or something in this process, wipes the session I believe, causing your error page to error out, and thus reverting to a generic 404.


    I'm not entirely sure that the ResponseRewrite is necessary, as either way you are returning the same error message for 404s and 500's (a 302 redirect to a 200 Error page). I haven't been able to get anyone to really explain why its needed, and the attempts I've seen don't seem to explain the different observed behavior between 404 and 500 errors that using ResponseRedirect would cause...


    Wednesday, September 22, 2010 10:58 AM
  • User-706647060 posted

    Emm, try adding smth like this:

           <customErrors mode="On" redirectMode="ResponseRewrite">      
                <error statusCode="404" redirect="~/error.aspx" />
            </customErrors>

    hmm.. what else, maybe IIS setting?

    Read this: http://forums.iis.net/p/1160614/1915691.aspx


    Hope this helps.

    I guess, ı haven't looked at that

    http://www.microsoft.com/technet/security/advisory/2416728.mspx

    Wednesday, September 22, 2010 11:05 AM
  • User-706647060 posted

    guys, I am really freaking out. when do you thing the patch will be ready? and we need to add the path to our server? right?

    Wednesday, September 22, 2010 11:09 AM
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, September 27, 2010 9:15 AM