locked
Invalid paths return to login.aspx. Is this also bad? RRS feed

  • Question

  • User384442066 posted

    I added the custom errors section, but as long as a user is nog logged in the errors page is not served up.

    When i try to test a bogus request, our site serves the login page.

    This is because of this section in our web.config.

         <authentication mode="Forms">
                <forms name=".AUTHCOOKIE" loginUrl="Login.aspx"/>
            </authentication>
            <authorization>
                <deny users="?"/>
            </authorization>

    If this is not optimal, how should we protect the site against this vulnerability.


    thanks for any reactions,

    A.


    Tuesday, September 21, 2010 4:32 AM

Answers

  • User915387828 posted

    Hi alain_bourdiaudhy,

    It relates to the Error Pages server setting in the IIS admin interface:

    You can config it.

    Please check the following link:
    http://www.west-wind.com/weblog/posts/745738.aspx

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 24, 2010 6:09 AM
  • User1513529506 posted

    Yes, i have to agree with Hua-Jun,

    i think you're safe. if you look up the "iis pipeline architecture" you'll see that IIS 6 and below (and IIS 7 running in classic mode) handle authentication before the request ever gets to .net runtime. so assuming you're using forms authentication, and IIS is correctly configured to use anonymous access, then this is the correct behaviour for asp.net forms authentication (again, assuming the 'forms' node has deny="?" in web.config, and the login property is correctly set).

    check out this great article for more info

    http://msdn.microsoft.com/en-us/library/ff647070.aspx

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, September 25, 2010 7:40 AM

All replies

  • User614805505 posted

    Dear,


    You gonna give the access right to anonymous user, for the error page.


    <?xml version="1.0"?>
    <configuration>
    
      <location path="errors.aspx">
        <system.web>
          <authorization>
            <allow users="*"/>
          </authorization>
        </system.web>
      </location>



    Tuesday, September 21, 2010 4:43 AM
  • User384442066 posted

    I tried your comment, giving access to the error page, but i'm using a html error page. Not an aspx page.

    When I'm not logged in, it seems to make no difference whether I try to go to an exising or a non-exisiting aspx page. The login page is allways displayed. I guess that is not a 404 error, so now i was wondering if this is actually exposing the vulnerability or not.




    Tuesday, September 21, 2010 4:57 AM
  • User915387828 posted

    Hi alain_bourdiaudhy,

    It relates to the Error Pages server setting in the IIS admin interface:

    You can config it.

    Please check the following link:
    http://www.west-wind.com/weblog/posts/745738.aspx

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 24, 2010 6:09 AM
  • User1513529506 posted

    Yes, i have to agree with Hua-Jun,

    i think you're safe. if you look up the "iis pipeline architecture" you'll see that IIS 6 and below (and IIS 7 running in classic mode) handle authentication before the request ever gets to .net runtime. so assuming you're using forms authentication, and IIS is correctly configured to use anonymous access, then this is the correct behaviour for asp.net forms authentication (again, assuming the 'forms' node has deny="?" in web.config, and the login property is correctly set).

    check out this great article for more info

    http://msdn.microsoft.com/en-us/library/ff647070.aspx

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, September 25, 2010 7:40 AM