Last post Sep 22, 2010 04:43 PM by softie1997
Sep 22, 2010 03:30 PM|Heinzi|LINK
In some of our applications, Application_Error (in global.asax)
- shows a custom (verbose) error message, returning either status code 404 or 500 and then
- calls "Server.ClearError()" and "Response.TrySkipIisCustomErrors = True" to make sure that the error message is always shown to the user, independent of the customErrors setting in web.config or any
Clearly, the verbose error message (and the status code) pose a problem in light of the current ASP.NET vulnerability. Unfortunatly, "Server.ClearError()" makes the currently recommended workaround useless, since the customErrors setting is ignored.
I'm aware that removing Server.ClearError() (and applying the workaround suggested by MS) would fix this problem. However, I'd really like to avoid checking out, modifying, recompiling and re-deploying all these applications just to remove "ClearError".
Is there some other workaround that works even though "ClearError" is called in Application_Error?
Sep 22, 2010 04:43 PM|softie1997|LINK
Good one, but no. The whole point of the vulnerability is that you are using custom errors. The goal of the workaround is to "genericize" the error output.