Moved from the MVC forum to the dedicated one about the vulnerability one by moderator XIII to keep people and the ASP.NET team at Microsoft focussed on one reporting area:
I'm trying to implement the workaround for the oracle padding exploit
described on ScottGu's blog. Here's the workaround:
When I add that to my web.config, I'm not redirected to the error page when I try a bogus URL. I get the regular 404 error page. That's not what I expected. When I visit http://www.example.com/Home/ErrorPage, I can see it just fine.
I can't use the script on Scott's page to test my server since I deploy to Azure.
ResponseRewrite seems to break this on my MVC site as well.
If you set up your error page to be a static HTML file, it will work. Less than ideal, but this is a temporary solution...
I think that if you wanted to do this with an MVC site, you would need to instantiate the controller and return the result of calling the "ErrorPage" action method. My best guess as to why this doesn't seem to work with MVC is that ResponseRewrite uses Server.Transfer
behind the scenes (I think, someone correct me if I'm wrong), which doesn't work with MVC routes...
/ Michael /
Marked as answer by be789 on Sep 22, 2010 09:57 PM
Be sure to also set the custom 404 error page in IIS to point to the same error page (/Content/Error.aspx in your case).
The behavior you're seeing is probably due to a difference in how IIS handles extensionless URLs. For example, when I applied the fix, the following worked: http://mysite.com/dummy.aspx but the following did not work http://mysite.com/dummy/
After I updated the custom 404 page in IIS, it all worked.
Phil Haack (http://haacked.com/)
Senior Program Manager, Microsoft
Static pages work in MVC just like on any ASP.NET site. You can put it anywhere you want.
Not sure on the IIS error thing... Is this specific to a version of IIS (Like NOT IIS 7 integrated)? I would think that as long as ASP.NET is in fact engaged in the process, that the point is moot in terms of mitigating this attack... Non-ASP.NET requests
wouldn't provide the encryption /decryption that is necessary to execute it.
Although the IIS error redirect might provide a more seamless use experience. Just curious if you see an attack vector there I don't.
I pointed out the IIS redirect as a means of providing a consistent user experience for file not found errors. I don't
think it affects the security issue in a negative or positive manner. However, just to be sure, I've asked others on my team more versed in this security issue to review.
Phil Haack (http://haacked.com/)
Senior Program Manager, Microsoft
I am very interested in their response as I am having the same issues as the OP.
Using redirectMode="ResponseRewrite" causes IIS to display a 404 error instead of my custom error page if I go to a page that does not exist on the site...
I have removed all the error handling code from my mvc web app and tried to implement ScottGu's solution by creating a really simple error.aspx file and modifying the web.config to:
You shouldn't have to remove all of your error handling code (IE logging?), just make sure that it redirects to the same page for all failed requests, including 404.
Are you sure that there is not an error / exception being thrown on your web app now after making code changes? IE does your log show anything, or if you turn custom errors off for a second does it give you an error?
Something I've always found with any app that hides the error codes (Which should be all of them...), is that logging functionality is absolutely critical for troubleshooting these types of issues.
Be sure to also set the custom 404 error page in IIS to point to the same error page (/Content/Error.aspx in your case).
The behavior you're seeing is probably due to a difference in how IIS handles extensionless URLs. For example, when I applied the fix, the following worked: http://mysite.com/dummy.aspx but the following did not work http://mysite.com/dummy/
After I updated the custom 404 page in IIS, it all worked.
What if we don't have control over IIS's custom 404 error page, for example, on Azure?
I'm afraid I don't understand how IIS's custom 404 error page differs from what I set in web.config. Does one override the other?
be789
Member
4 Points
16 Posts
Need help implementing the workaround for the oracle padding exploit
Sep 21, 2010 05:24 AM|LINK
Moved from the MVC forum to the dedicated one about the vulnerability one by moderator XIII to keep people and the ASP.NET team at Microsoft focussed on one reporting area:
I'm trying to implement the workaround for the oracle padding exploit described on ScottGu's blog. Here's the workaround:
When I add that to my web.config, I'm not redirected to the error page when I try a bogus URL. I get the regular 404 error page. That's not what I expected. When I visit http://www.example.com/Home/ErrorPage, I can see it just fine.
I can't use the script on Scott's page to test my server since I deploy to Azure.
Any ideas?
i8beef
Member
69 Points
45 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 21, 2010 04:13 PM|LINK
ResponseRewrite seems to break this on my MVC site as well.
If you set up your error page to be a static HTML file, it will work. Less than ideal, but this is a temporary solution...
I think that if you wanted to do this with an MVC site, you would need to instantiate the controller and return the result of calling the "ErrorPage" action method. My best guess as to why this doesn't seem to work with MVC is that ResponseRewrite uses Server.Transfer behind the scenes (I think, someone correct me if I'm wrong), which doesn't work with MVC routes...
/ Michael /
be789
Member
4 Points
16 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 22, 2010 09:46 PM|LINK
How do I set up a static page with MVC? I'm only accustomed to displaying pages via a controller and view.
EDIT: Nevermind. I just put Scutt Gu's example error.aspx file into my Content directory and then put this in web.config:
customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Content/Error.aspx" />
Haacked
Contributor
6901 Points
412 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 23, 2010 07:10 AM|LINK
Be sure to also set the custom 404 error page in IIS to point to the same error page (/Content/Error.aspx in your case).
The behavior you're seeing is probably due to a difference in how IIS handles extensionless URLs. For example, when I applied the fix, the following worked: http://mysite.com/dummy.aspx but the following did not work http://mysite.com/dummy/
After I updated the custom 404 page in IIS, it all worked.
Senior Program Manager, Microsoft
What wouldn’t you do for a Klondike bar?
i8beef
Member
69 Points
45 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 23, 2010 02:51 PM|LINK
Static pages work in MVC just like on any ASP.NET site. You can put it anywhere you want.
Not sure on the IIS error thing... Is this specific to a version of IIS (Like NOT IIS 7 integrated)? I would think that as long as ASP.NET is in fact engaged in the process, that the point is moot in terms of mitigating this attack... Non-ASP.NET requests wouldn't provide the encryption /decryption that is necessary to execute it.
Although the IIS error redirect might provide a more seamless use experience. Just curious if you see an attack vector there I don't.
/ Michael /
Haacked
Contributor
6901 Points
412 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 23, 2010 03:22 PM|LINK
I pointed out the IIS redirect as a means of providing a consistent user experience for file not found errors. I don't think it affects the security issue in a negative or positive manner. However, just to be sure, I've asked others on my team more versed in this security issue to review.
Senior Program Manager, Microsoft
What wouldn’t you do for a Klondike bar?
Maxer_Ars
Member
76 Points
183 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 23, 2010 06:19 PM|LINK
I am very interested in their response as I am having the same issues as the OP.
Using redirectMode="ResponseRewrite" causes IIS to display a 404 error instead of my custom error page if I go to a page that does not exist on the site...
dkarantonis
Member
135 Points
214 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 24, 2010 10:30 AM|LINK
Hi to all,
I have removed all the error handling code from my mvc web app and tried to implement ScottGu's solution by creating a really simple error.aspx file and modifying the web.config to:
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Content/Error.aspx" />
Then, from my shared hosting services provider panel i added a cutom 404 error page ("Execute URL" handling type) "/Content/Error.aspx"
The result is that every time i try to navigate to any page of the wweb app, the Error.aspx page is displayed.
Note that i have already successfully implemented the workaround to my other asp.net and DotNetNuke web apps.
Any ideas?
Dimitris
i8beef
Member
69 Points
45 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 24, 2010 02:25 PM|LINK
You shouldn't have to remove all of your error handling code (IE logging?), just make sure that it redirects to the same page for all failed requests, including 404.
Are you sure that there is not an error / exception being thrown on your web app now after making code changes? IE does your log show anything, or if you turn custom errors off for a second does it give you an error?
Something I've always found with any app that hides the error codes (Which should be all of them...), is that logging functionality is absolutely critical for troubleshooting these types of issues.
/ Michael /
be789
Member
4 Points
16 Posts
Re: Need help implementing the workaround for the oracle padding exploit
Sep 24, 2010 09:01 PM|LINK
What if we don't have control over IIS's custom 404 error page, for example, on Azure?
I'm afraid I don't understand how IIS's custom 404 error page differs from what I set in web.config. Does one override the other?