ASP.NET Custom Errors Security Flaw: Please Read!
** NOTE **
EDIT 29/9/2010
ASP.NET Security Update is now available. See here.
EDIT 21/9/2010 :
Scott Guthrie has published FAQ on the Security Vulnerability, read it here. Read his original post on the issue here.
** **
See Steve Smith's blog post for details
http://stevesmithblog.com/blog/asp-net-custom-errors-security-flaw/
Summary: You should have custom errors enabled or HTTP error response codes (in firewall/router) disabled so that attacker can't use the information of error responses.
As Steve said:
Please share this post and the information in it as widely as possible. As of this moment, virtually any ASP.NET web site online can potentially be compromised with about a minute’s work. By working together quickly, we (developers and IT pros) should be able to eliminate this vulnerability quickly, saving our companies and clients from potentially large losses