Last post Sep 20, 2010 02:34 PM by Rovastar
Sep 20, 2010 12:07 PM|Ken Cox [MVP]|LINK
I could use some advice on handling error messages in my own code and the effect on the vulnerability.
On one of my sites, I catch error messages in Application_Error event and the app sends me an email with the error details and redirects to errorpage.aspx which tells the user there's been an error but gives no details or codes.
Is that sufficient to protect against the vulnerability?
I tried the recommended code in the web.config:
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/errorpage.aspx" />
However, this doesn't seem to be working correctly in my scenario. For example, a non-existent file, doesntexist.aspx returns:
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /doesntexist.aspx
Sep 20, 2010 02:34 PM|Rovastar|LINK
USe IIS's failed request tracing to trace through and see what is happening. That should tell you if the conditions have been meet.