Major Security Hole In ASP.NET Requires Error Redirect Workaround

A major security flaw in ASP.NET was announced on Friday — one that affects all versions and can allow an attacker to see ViewState and web.config data in clear text.

As such, everyone who has made an ASP.NET Web site should take this threat very seriously.

Microsoft is putting together a patch. Until then, they suggest a workaround of turning on customErrors, and having it point to a single error file.

For ASP.NET versions 1.x, 2.0 and 3.5, create a single HTML-based error page, upload it to the root directory of your Web site, then add or change the customErrors section in your web.config file with the following:

<configuration>
   <system.web>
      <customErrors mode="On" defaultRedirect="~/error.html" />
   </system.web>
</configuration>

Where, of course, error.html is the name of the error page you made.

If your site uses ASP.NET 3.5 SP1 or ASP.NET 4.0, use the custom ASPX error page located on Scott Guthrie’s blog (VB and C# versions), and change the customErrors section of your web.config file thus:

<configuration>
   <system.web>
     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
   </system.web>
</configuration>

Where, of course, error.aspx is the name of the error page you created.

To make things easier, I have zipped up copies of the three error documents — error.html, and the VB.NET / C# versions of the ASP.NET error files — for download. I distribute all code under the GNU GPL.

I’m taking this threat very seriously and have patched all my ASP.NET sites as advised.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/major-security-hole-in-asp-net-requires-error-redirect-workaround

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current ye@r *