In some of our applications, Application_Error (in global.asax)
- shows a custom (verbose) error message, returning either status code 404 or 500 and then
- calls "Server.ClearError()" and "Response.TrySkipIisCustomErrors = True" to make sure that the error message is always shown to the user, independent of the customErrors setting in web.config or any
IIS settings.
Clearly, the verbose error message (and the status code) pose a problem in light of the current ASP.NET vulnerability. Unfortunatly, "Server.ClearError()" makes the currently recommended workaround useless, since the customErrors setting is ignored.
I'm aware that removing Server.ClearError() (and applying the workaround suggested by MS) would fix this problem. However, I'd really like to avoid checking out, modifying, recompiling and re-deploying all these applications just to remove "ClearError".
Is there some other workaround that works even though "ClearError" is called in Application_Error?
Good one, but no. The whole point of the vulnerability is that you are using custom errors. The goal of the workaround is to "genericize" the error output.
Heinzi
Member
2 Points
2 Posts
Protecting a site that uses Server.ClearError in its Application_Error handler
Sep 22, 2010 02:30 PM|LINK
In some of our applications, Application_Error (in global.asax)
- shows a custom (verbose) error message, returning either status code 404 or 500 and then
- calls "Server.ClearError()" and "Response.TrySkipIisCustomErrors = True" to make sure that the error message is always shown to the user, independent of the customErrors setting in web.config or any IIS settings.
Clearly, the verbose error message (and the status code) pose a problem in light of the current ASP.NET vulnerability. Unfortunatly, "Server.ClearError()" makes the currently recommended workaround useless, since the customErrors setting is ignored.
I'm aware that removing Server.ClearError() (and applying the workaround suggested by MS) would fix this problem. However, I'd really like to avoid checking out, modifying, recompiling and re-deploying all these applications just to remove "ClearError". Is there some other workaround that works even though "ClearError" is called in Application_Error?
softie1997
Member
196 Points
52 Posts
Re: Protecting a site that uses Server.ClearError in its Application_Error handler
Sep 22, 2010 03:43 PM|LINK
Good one, but no. The whole point of the vulnerability is that you are using custom errors. The goal of the workaround is to "genericize" the error output.
http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx
Please remember to mark the answer!