Last post Sep 23, 2010 03:31 PM by snelso1
Sep 23, 2010 07:46 AM|jaminn|LINK
We made the recommended changes to the web.config, did an IIS reset. Browsing to
http://servername/_vti_bin/webresource.axd returns 'An error has occurred on the server. '
Browsing to a non-existent page returns 'The file '/_layouts/foo.aspx' does not exist. at System.Web.UI.Util.CheckVirtualFileExists(VirtualPath virtualPath) ...etc.'
Doesn't seem like the workaround is working...?
Sep 23, 2010 09:21 AM|SPJen|LINK
I got the same error, but if you look at the URL of the page it probably shows "ErrorText=Path%20%27%2F%5Fvti%5Fbin%2Fwebresource%2Eaxd%27%20was%20not%20found%2E". This is different than what used to display in the URL before I made the change to the web.config.
That means the change was successful.
As for your other question regarding foo.aspx, another poster said in another thread that the changes that are indicated for other NON-SharePoint apps are not required for SharePoint applications. I haven't seen an official statement from Microsoft as
to whether that is true or not, but user Snelso1's explanation in this thread (http://forums.asp.net/t/1604327.aspx) seems to explain why only the MOSS-specific instructions are applicable.
Sep 23, 2010 10:11 AM|jaminn|LINK
Thanks SPJen, this was the info I was looking for!
Sep 23, 2010 03:31 PM|snelso1|LINK
My explanation is for SharePoint 2010 and browsing to /pages/foo.aspx versus /_layouts/foo.aspx. You need to apply all of the instructions as per:
http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx. In the post he mentions (for 2010):
"Verifying the workaround: After applying the workaround, you may not see a change in SharePoint’s error handling behavior. For example, you will still receive a 404 error if you try to access a page that does not exist –
this is unique to the SharePoint workaround and is different from the expected behavior described
here. This is by design — the workaround described here specifically protects against the ASP.NET vulnerability in error cases that are not
handled by SharePoint."
That paragraph is what my explanation addresses. There's different instructions for 2010 and 2007. His MOSS 2007 instructions seem to ignore the root web.config change -- not sure why, but I don't have a 2007 environment in front of me.