As such, everyone who has made an ASP.NET Web site should take this threat very seriously.
Microsoft is putting together a patch. Until then, they suggest a workaround of turning on customErrors, and having it point to a single error file.
For ASP.NET versions 1.x, 2.0 and 3.5, create a single HTML-based error page, upload it to the root directory of your Web site, then add or change the customErrors section in your web.config file with the following:
<configuration> <system.web> <customErrors mode="On" defaultRedirect="~/error.html" /> </system.web> </configuration>
Where, of course, error.html is the name of the error page you made.
If your site uses ASP.NET 3.5 SP1 or ASP.NET 4.0, use the custom ASPX error page located on Scott Guthrie’s blog (VB and C# versions), and change the customErrors section of your web.config file thus:
<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" /> </system.web> </configuration>
Where, of course, error.aspx is the name of the error page you created.
To make things easier, I have zipped up copies of the three error documents — error.html, and the VB.NET / C# versions of the ASP.NET error files — for download. I distribute all code under the GNU GPL.
I’m taking this threat very seriously and have patched all my ASP.NET sites as advised.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/major-security-hole-in-asp-net-requires-error-redirect-workaround