Sign In| Join
Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
0 Points
4 Posts
Sep 20, 2010 05:55 AM|LINK
I have a number of sites running ASP.NET 3.5SP1 and ASP.NET 4.0, hosted under IIS7 and IIS7.5
In these cases, will configuring the <customErrors> section (as recommended in Scott Guthrie's blog post) be enough?
It is my understanding that in these hosting environments, the <httpErrors> section overrides the <customErrors> section, as per :
http://forums.asp.net/t/1603843.aspx
http://stackoverflow.com/questions/3166523/asp-net-application-hosted-on-iis7-that-is-ignoring-custom-errors-and-falls-back
http://www.west-wind.com/weblog/posts/745738.aspx
Are sites using the <httpErrors> section under IIS7+ immune to this vulnerability?
The script that has been provided here : http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx is only designed to check <customErrors> and does not take into account the <httpErrors> configuration.
JaseSV8
0 Points
4 Posts
What about the httpErrors section for IIS7?
Sep 20, 2010 05:55 AM|LINK
I have a number of sites running ASP.NET 3.5SP1 and ASP.NET 4.0, hosted under IIS7 and IIS7.5
In these cases, will configuring the <customErrors> section (as recommended in Scott Guthrie's blog post) be enough?
It is my understanding that in these hosting environments, the <httpErrors> section overrides the <customErrors> section, as per :
http://forums.asp.net/t/1603843.aspx
http://stackoverflow.com/questions/3166523/asp-net-application-hosted-on-iis7-that-is-ignoring-custom-errors-and-falls-back
http://www.west-wind.com/weblog/posts/745738.aspx
Are sites using the <httpErrors> section under IIS7+ immune to this vulnerability?
The script that has been provided here : http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx is only designed to check <customErrors> and does not take into account the <httpErrors> configuration.