Last post Sep 20, 2010 06:29 AM by lionscub
Sep 20, 2010 01:55 AM|JaseSV8|LINK
I have a number of sites running ASP.NET 3.5SP1 and ASP.NET 4.0, hosted under IIS7 and IIS7.5
In these cases, will configuring the <customErrors> section (as recommended in Scott Guthrie's blog post) be enough?
It is my understanding that in these hosting environments, the <httpErrors> section overrides the <customErrors> section, as per :
Are sites using the <httpErrors> section under IIS7+ immune to this vulnerability?
The script that has been provided here :
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx is only designed to check <customErrors> and does not take into account the <httpErrors> configuration.
Sep 20, 2010 06:13 AM|lionscub|LINK
From my understanding the problem is the error page returning too much infromation. You are correct thoguh, I've tested it on my servers and the httpErrors section in IIS7 does override the customErrors. It seems like you have to set each entry in there
to go to your generic error page as well.
Anyone else have any other ideas?
Sep 20, 2010 06:29 AM|lionscub|LINK
That being said, paying more attention to the messages on the screen in IIS7.
If you are running in classic mode:
"When running in this mode, custom errors apply to all content except ASP.NET content."
So maybe we don't need to worry about those pages for this security flaw.