Last post Sep 22, 2010 02:28 PM by owjeff
Sep 22, 2010 09:08 AM|lp9999|LINK
IIS 6, Windows 2003 Server.
Web.config: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorMessage.htm" />
http://mysite/mywebapp/PageThatDoesNotExist.aspx - IIS log has status 200. Redirects to ErrorMessage.htm as expected.
http://mysite/mywebapp/PageThatThrowsApplicationException.aspx - IIS log has status 200, but no redirect occurs so the response html is different. I assume this would allow the exploit.
What am I missing?
Sep 22, 2010 09:17 AM|mehta.rahulit|LINK
Sep 22, 2010 09:45 AM|lp9999|LINK
Thanks for the response. If I remove redirectMode="ResponseRewrite", it still does not redirect to ErrorMessage.htm, which is a simple htm file that can't throw an asp.net server side error. When I view source after requesting PageThatThrowsApplicationException.aspx,
the html contains
<form name="form1" method="post" action="PageThatThrowsApplicationException.aspx" id="form1">
which tells me the server responded with the html of the page that threw the exception rather than the html of ErrorMessage.htm.
I'm using IIS6 so Response.TrySkipIisCustomErrors is not available. There is no master page or global.asax error handling.
Sep 22, 2010 10:19 AM|owjeff|LINK
Are you using ASP.NET 3.5 SP1? If so, redirect to an aspx page.
Sep 22, 2010 10:32 AM|lp9999|LINK
Thanks owjeff, I am using 3.5 SP1. Using this:
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorMessage.aspx" />
<customErrors mode="On" defaultRedirect="~/ErrorMessage.aspx" />
causes the same behavior for PageThatThrowsApplicationException.aspx. However, when I go to PageThatDoesNotExist.aspx the browser is sent the default 404 page specified in IIS. If I navigate directly to ErrorMessage.aspx there is no error.
Sep 22, 2010 10:40 AM|owjeff|LINK
Do you have any custom error handlers?
Sep 22, 2010 11:23 AM|lp9999|LINK
I previously stripped out the Exception Management Application Block code that used to be there, so at this point I don't have any custom error handling.
I just created a new web application named TestCustomError and it works as expected with the recommended customError tag. The page that throws an exception redirects as it should to ErrorMessage.aspx. Navigating to pages that don't exist also redirects to
I replaced TestCustomError/web.config with the web.config from the application that isn't working, and TestCustomError still works.
I replaced web.config on the application that isn't working with the original web.config that worked in TestCustomError, and it still doesn't work.
This seems to rule out web.config.
Sep 22, 2010 11:34 AM|owjeff|LINK
Do you have a Global.asax file or are you using a load balancer or WAF? Any of those things could be coming into play. Also, is there any difference in ASP.NET config between this app and the test app in IIS?
Sep 22, 2010 12:11 PM|lp9999|LINK
The problem application has Global.asax, but the code behind file has only the standard method signatures; they don't execute any code. TestCustomError does not have Global.asax. I'm not using a load balancer or WAF.
On my development machine in IIS, TestCustomError got created as a virtual directory, whereas the problem app is a web application. On our test server they are both web apps, and the symptoms are the same on both machines. I compared all of the tabs in
IIS and can't find any difference. I compared permissions and found that the problem app didn't grant ASP.NET read permission while TestCustomError did, but granting it didn't solve the problem.
Sep 22, 2010 02:20 PM|lp9999|LINK
Success, thanks to the good questions you asked. Look at the code I was running in the test page that was intentionally throwing the exception:
Dim ex as new applicationexception("testing")
Originally I was using Throw New ApplicationException("testing"), and I had forgotten that I put the ExceptionManager code back in.
Throw New ApplicationException("testing")
Thanks for your time and patience.
Sep 22, 2010 02:28 PM|owjeff|LINK
Glad you got it figured out!