J
jnappi
A recent security scan of our website has identified a vulnerability which
appears to be an issue with ASP.NET itself. By passing a seemingly innocuous
yet malicious url the user will bypass the customError settings in the
web.config and instead of getting a friendly error page, will see the "Server
Error in '/' Application." error page.
The underlying exception is:
[HttpException (0x80004005): xxx is not a valid virtual path.]
System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions
options) +8855707
This is easily reproduced by creating a simple website project with a
Default.aspx page, Error.aspx page and customErrors on pointing to the
error.aspx page. Variations of the folllowing url will cause the undesired
behavior.
http://localhost/Default.aspx//Default.aspx?free_text=
This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404
error. It appears that the bug has been fixed in 4.0, but I'm running 3.5.
Has anyone seen this issue or have a solution?
Just for curiousity it tried the same url on the following sites which
exhibit the same bug.
http://www.myspace.com/Default.aspx//Default.aspx?free_text=
https://www.discountasp.net/Default.aspx//Default.aspx?free_text=
appears to be an issue with ASP.NET itself. By passing a seemingly innocuous
yet malicious url the user will bypass the customError settings in the
web.config and instead of getting a friendly error page, will see the "Server
Error in '/' Application." error page.
The underlying exception is:
[HttpException (0x80004005): xxx is not a valid virtual path.]
System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions
options) +8855707
This is easily reproduced by creating a simple website project with a
Default.aspx page, Error.aspx page and customErrors on pointing to the
error.aspx page. Variations of the folllowing url will cause the undesired
behavior.
http://localhost/Default.aspx//Default.aspx?free_text=
This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404
error. It appears that the bug has been fixed in 4.0, but I'm running 3.5.
Has anyone seen this issue or have a solution?
Just for curiousity it tried the same url on the following sites which
exhibit the same bug.
http://www.myspace.com/Default.aspx//Default.aspx?free_text=
https://www.discountasp.net/Default.aspx//Default.aspx?free_text=