Last post Sep 25, 2010 07:40 AM by scott.fulford
Sep 21, 2010 04:32 AM|alain_bourdiaudhy|LINK
I added the custom errors section, but as long as a user is nog logged in the errors page is not served up.
When i try to test a bogus request, our site serves the login page.
This is because of this section in our web.config.
<forms name=".AUTHCOOKIE" loginUrl="Login.aspx"/>
If this is not optimal, how should we protect the site against this vulnerability.
thanks for any reactions,
Sep 21, 2010 04:43 AM|CruzerB|LINK
You gonna give the access right to anonymous user, for the error page.
Sep 21, 2010 04:57 AM|alain_bourdiaudhy|LINK
I tried your comment, giving access to the error page, but i'm using a html error page. Not an aspx page.
When I'm not logged in, it seems to make no difference whether I try to go to an exising or a non-exisiting aspx page. The login page is allways displayed. I guess that is not a 404 error, so now i was wondering if this is actually exposing the vulnerability
Sep 24, 2010 06:09 AM|Hua-Jun Li - MSFT|LINK
It relates to the Error Pages server setting in the IIS admin interface:
You can config it.
Please check the following link:
Sep 25, 2010 07:40 AM|scott.fulford|LINK
Yes, i have to agree with Hua-Jun,
i think you're safe. if you look up the "iis pipeline architecture" you'll see that IIS 6 and below (and IIS 7 running in classic mode) handle authentication before the request ever gets to .net runtime. so assuming you're using forms authentication, and
IIS is correctly configured to use anonymous access, then this is the correct behaviour for asp.net forms authentication (again, assuming the 'forms' node has deny="?" in web.config, and the login property is correctly set).
check out this great article for more info