ASP.NET Security Vulnerability Could Allow Information Disclosure


Scott Gu has a great blog post discussing the workaround that must be applied to your sites.  In a nutshell the recommended workaround is to specify a single error page for all errors.

NOTE: This also affects SharePoint, it is an ASP.NET application after all.  Go check out the solution over at the SharePoint Team Blog.  An updated workaround has been posted for SharePoint 2007.

On .NET Framework 3.5 and earlier is to ensure your web.config has the following added to your web.config (assuming you already have a web.config):

<location allowOverride="false">   
  <system.web>     
    <customErrors mode="On" defaultRedirect="~/error.html" />   
  </system.web> 
</location>

On .NET Framework 3.5 SP1 and later ensure your web.config has the following added to your web.config:

<location allowOverride="false">   
  <system.web>     
    <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />  
  </system.web> 
</location>

For example if you had a .NET 3.5 SP1 or later application you would Insert the text (in the red square) into your existing web.config file:

Insert the text (in the red square) into your existing web.config file

Here are links to more information:

http://www.microsoft.com/technet/security/advisory/2416728.mspx

http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

About wesmacdonald

Wes MacDonald is a Visual Studio ALM MVP, PSD, MCT and a Principal Consultant for LIKE 10 INC., a SharePoint Server, Visual Studio and Team Foundation Server Consulting Firm providing premium support and guidance services.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: