Monday, September 20, 2010

Potentially massive hole in 'good' ASP.NET sites

 This is not just a simple patch fix, and even well managed sites can have this issue.
This is driven by ASP.NET giving up too much information in error codes.

The big takeaway:

Important: It is not  enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page.  This requires you to explicitly set the “defaultRedirect” attribute on the section and ensure that no per-status codes are set.

Here's the Scott Gu post

Get busy out there.

No comments:

Post a Comment