Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Sep 20, 2010 05:55 AM|LINK
I have a number of sites running ASP.NET 3.5SP1 and ASP.NET 4.0, hosted under IIS7 and IIS7.5
In these cases, will configuring the <customErrors> section (as recommended in Scott Guthrie's blog post) be enough?
It is my understanding that in these hosting environments, the <httpErrors> section overrides the <customErrors> section, as per :
Are sites using the <httpErrors> section under IIS7+ immune to this vulnerability?
The script that has been provided here :
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx is only designed to check <customErrors> and does not take into account the <httpErrors> configuration.