locked
Are resources not handled by ASP.NET affected? RRS feed

  • Question

  • User-780286375 posted

    After attempting to apply the workaround, my ASP.NET resources (.aspx and .html as I have set up ASP.NET to protect .html pages with forms authentication) are protected so that all errors redirect to the same page.

    However, if I try to access a resource type not handled by ASP.NET e.g. mysite/orange.jpg, where such a file does not exist, I get an inbuilt 404 error. mysite/page.aspx or mysite/file.html shows the custom error as intended. Am I still vulnerable? 

    Monday, September 20, 2010 8:44 AM

Answers

  • User2025044020 posted

    If you've implemented the fix for ASP.NET, you should be covered. The issues stems from the error messages normally returned by ASP.NET allowing it to guess the MachineKey. The standard IIS error codes for static content do not come into play with this exploit AFAIK.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, September 20, 2010 1:16 PM