Welcome to AspAdvice Sign in | Join | Help

ASP.NET Custom Errors Security Flaw: Please Read!

** NOTE ** 

EDIT 29/9/2010

ASP.NET Security Update is now available. See here.

EDIT 21/9/2010 :

Scott Guthrie has published FAQ on the Security Vulnerability, read it here. Read his original post on the issue here.

** **

See Steve Smith's blog post for details

 http://stevesmithblog.com/blog/asp-net-custom-errors-security-flaw/

Summary: You should have custom errors enabled or HTTP error response codes (in firewall/router) disabled so that attacker can't use the information of error responses.

As Steve said: 

Please share this post and the information in it as widely as possible.  As of this moment, virtually any ASP.NET web site online can potentially be compromised with about a minute’s work.  By working together quickly, we (developers and IT pros) should be able to eliminate this vulnerability quickly, saving our companies and clients from potentially large losses

Sponsor
Published Saturday, September 18, 2010 9:58 AM by joteke
Filed under: ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

(required) 
required 
(required) 
Enter the code you see below