|
Corrupt Url bypasses ASP.NET customErrors settings
A recent security scan of our website has identified a vulnerability which
appears to be an issue with ASP.NET itself. By passing a seemingly innocuous yet malicious url the user will bypass the customError settings in the web.config and instead of getting a friendly error page, will see the "Server Error in '/' Application." error page. The underlying exception is: [HttpException (0x80004005): xxx is not a valid virtual path.] System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions options) +8855707 This is easily reproduced by creating a simple website project with a Default.aspx page, Error.aspx page and customErrors on pointing to the error.aspx page. Variations of the folllowing url will cause the undesired behavior. http://localhost/Default.aspx/%2fDef...3ffree_text%3d This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404 error. It appears that the bug has been fixed in 4.0, but I'm running 3.5. Has anyone seen this issue or have a solution? Just for curiousity it tried the same url on the following sites which exhibit the same bug. http://www.myspace.com/Default.aspx/...3ffree_text%3d https://www.discountasp.net/Default....3ffree_text%3d |
RE: Corrupt Url bypasses ASP.NET customErrors settings
I am having the exact same problem.
If you look at the http logs, it is listing it as a 500 error, but no matter what I have tried, the custom error won't catch it. Any help would be appreciated. "jnappi" wrote: > A recent security scan of our website has identified a vulnerability which > appears to be an issue with ASP.NET itself. By passing a seemingly innocuous > yet malicious url the user will bypass the customError settings in the > web.config and instead of getting a friendly error page, will see the "Server > Error in '/' Application." error page. > > The underlying exception is: > > [HttpException (0x80004005): xxx is not a valid virtual path.] > System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions > options) +8855707 > > This is easily reproduced by creating a simple website project with a > Default.aspx page, Error.aspx page and customErrors on pointing to the > error.aspx page. Variations of the folllowing url will cause the undesired > behavior. > > http://localhost/Default.aspx/%2fDef...3ffree_text%3d > > This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404 > error. It appears that the bug has been fixed in 4.0, but I'm running 3.5. > Has anyone seen this issue or have a solution? > > Just for curiousity it tried the same url on the following sites which > exhibit the same bug. > > http://www.myspace.com/Default.aspx/...3ffree_text%3d > https://www.discountasp.net/Default....3ffree_text%3d |
| All times are GMT. The time now is 02:27 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.