Last post Sep 28, 2010 03:32 PM by pitz
Sep 27, 2010 08:43 AM|Heinzi|LINK
I have a website with the following web.config:
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
Accessing http://mysite/doesnotexist.aspx, http://mysite/doesnotexist.axd or even http://mysite/webresource.axd returns the contents of ErrorPage.aspx, as expected. However, accessing
yields the ASP.NET default 404 page and
yields the ASP.NET default 500 page.
I'm a bit confused. Since webresource.axd is one of the main attack targets (as I understood it), I would have thought that the workaround works for this handler as well...
Sep 27, 2010 08:54 AM|Rovastar|LINK
Hence the workaround that is now in place for teh past couple of days:
Sep 28, 2010 03:32 PM|pitz|LINK
@Heinzi, you hit it right on the spot. Now that the patch is out, I posted an explanation on why <customErrors> is not enough.