Last post Sep 20, 2010 01:16 PM by owjeff
Sep 20, 2010 08:44 AM|s3034sd|LINK
After attempting to apply the workaround, my ASP.NET resources (.aspx and .html as I have set up ASP.NET to protect .html pages with forms authentication) are protected so that all errors redirect to the same page.
However, if I try to access a resource type not handled by ASP.NET e.g. mysite/orange.jpg, where such a file does not exist, I get an inbuilt 404 error. mysite/page.aspx or mysite/file.html shows the custom error as intended. Am I still vulnerable?
Sep 20, 2010 01:16 PM|owjeff|LINK
If you've implemented the fix for ASP.NET, you should be covered. The issues stems from the error messages normally returned by ASP.NET allowing it to guess the MachineKey. The standard IIS error codes for static content do not come into play with this exploit