locked
Recommended workaround does not work for webresource.axd RRS feed

  • Question

  • User-272351917 posted

    I have a website with the following web.config:

    <configuration>
     <system.web>
       <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
     </system.web>
    </configuration>
    

    Accessing http://mysite/doesnotexist.aspx, http://mysite/doesnotexist.axd or even http://mysite/webresource.axd returns the contents of ErrorPage.aspx, as expected. However, accessing

    http://mysite/webresource.axd?aspxerrorpath=bar

    yields the ASP.NET default 404 page and

    http://mysite/webresource.axd?d=foo&aspxerrorpath=bar

    yields the ASP.NET default 500 page.

    I'm a bit confused. Since webresource.axd is one of the main attack targets (as I understood it), I would have thought that the workaround works for this handler as well...

    Monday, September 27, 2010 8:43 AM

Answers

  • User-1828574268 posted

    @Heinzi, you hit it right on the spot.  Now that the patch is out, I posted an explanation on why <customErrors> is not enough.

    http://forums.asp.net/p/1607422/4102287.aspx

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, September 28, 2010 3:32 PM

All replies

  • User-234406897 posted

    Hence the workaround that is now in place for teh past couple of days:

    http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

    Monday, September 27, 2010 8:54 AM
  • User-1828574268 posted

    @Heinzi, you hit it right on the spot.  Now that the patch is out, I posted an explanation on why <customErrors> is not enough.

    http://forums.asp.net/p/1607422/4102287.aspx

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, September 28, 2010 3:32 PM