asp.net work around not working

Discussion in 'ASP.NET / ASP.NET Core' started by IbisOnline, Sep 23, 2010.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. I have tried to implement the asp.net vulnerability fix in my web.config file but nothing seems to work. I have tried the 3.5 and 4.0 versions, tried a error.aspx and a error.htm page, but I keep getting the IIS error page. There seems to be a descrepancy in my system.web tag, targetFramework = "4.0" and control RenderingCompatibilityVersion = "3.5" . I have .Net 4.0 installed locally and .Net 4.0 on my discountasp.net server. What else do I need to do to enable the custom error page?

    <system.web>
    <compilation debug="true" targetFramework="4.0">
    </compilation>
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID"/>
    <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="errors.aspx"></customErrors>
    </system.web>
     
  2. ...You're changing the debug mode right? Don't leave it like that.

    A simple customer errors section looks like this:
    <customErrors mode="RemoteOnly">
    <error statusCode="404" redirect="~/error.aspx" />
    </customErrors>

    Try changing yours to use the path like that and the mode to RemoteOnly.
     
  3. What should I change the debug to? The Web.config was generated by Expression Web so I'm not sure why it is there. The info I saw on the vulnerability issue said to use a general custom error, or not use a 404 status, so there was no way for hackers to work around it. Do you agree with that? I'll give it a try and let you know how it comes out. But I'm not sure what to do about the debug mode. False would seem to be the only other option.

    Thanks for the reply
     
  4. ...The parts I was referring to were only the parts in bold.
    That example is how it works if you're using the Bing web tools, which are not needed but add a nice touch.
    You can always test with-> compilation debug="true"
    But you should always run your site with -> compilation debug="false"
    You can run debug mode per page when you need also.

    There are a lot of comments on ScottGu's blog about this but he did say to not use sub error pages, just the one for now until the patch is released and he did mention you can use RemoteOnly safely now and later.

    Let me know if you get it working, the path change should do it.
     
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page