Corrupt Url bypasses ASP.NET customErrors settings

Discussion in 'ASP .Net Security' started by jnappi, Jul 2, 2010.

  1. jnappi

    jnappi Guest

    A recent security scan of our website has identified a vulnerability which
    appears to be an issue with ASP.NET itself. By passing a seemingly innocuous
    yet malicious url the user will bypass the customError settings in the
    web.config and instead of getting a friendly error page, will see the "Server
    Error in '/' Application." error page.

    The underlying exception is:

    [HttpException (0x80004005): xxx is not a valid virtual path.]
    System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions
    options) +8855707

    This is easily reproduced by creating a simple website project with a
    Default.aspx page, Error.aspx page and customErrors on pointing to the
    error.aspx page. Variations of the folllowing url will cause the undesired
    behavior.

    http://localhost/Default.aspx//Default.aspx?free_text=

    This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404
    error. It appears that the bug has been fixed in 4.0, but I'm running 3.5.
    Has anyone seen this issue or have a solution?

    Just for curiousity it tried the same url on the following sites which
    exhibit the same bug.

    http://www.myspace.com/Default.aspx//Default.aspx?free_text=
    https://www.discountasp.net/Default.aspx//Default.aspx?free_text=
     
    jnappi, Jul 2, 2010
    #1
    1. Advertisements

  2. jnappi

    hedtec Guest

    I am having the exact same problem.

    If you look at the http logs, it is listing it as a 500 error, but no matter
    what I have tried, the custom error won't catch it.

    Any help would be appreciated.

    "jnappi" wrote:

    > A recent security scan of our website has identified a vulnerability which
    > appears to be an issue with ASP.NET itself. By passing a seemingly innocuous
    > yet malicious url the user will bypass the customError settings in the
    > web.config and instead of getting a friendly error page, will see the "Server
    > Error in '/' Application." error page.
    >
    > The underlying exception is:
    >
    > [HttpException (0x80004005): xxx is not a valid virtual path.]
    > System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions
    > options) +8855707
    >
    > This is easily reproduced by creating a simple website project with a
    > Default.aspx page, Error.aspx page and customErrors on pointing to the
    > error.aspx page. Variations of the folllowing url will cause the undesired
    > behavior.
    >
    > http://localhost/Default.aspx//Default.aspx?free_text=
    >
    > This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404
    > error. It appears that the bug has been fixed in 4.0, but I'm running 3.5.
    > Has anyone seen this issue or have a solution?
    >
    > Just for curiousity it tried the same url on the following sites which
    > exhibit the same bug.
    >
    > http://www.myspace.com/Default.aspx//Default.aspx?free_text=
    > https://www.discountasp.net/Default.aspx//Default.aspx?free_text=
     
    hedtec, Jul 27, 2010
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Dan
    Replies:
    0
    Views:
    1,418
  2. =?Utf-8?B?bTAwbm0wbmtleQ==?=

    .NET Framework becomes corrupt (ASP.NET)

    =?Utf-8?B?bTAwbm0wbmtleQ==?=, May 11, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    715
    bruce barker \(sqlwork.com\)
    May 11, 2006
  3. Ron Garret

    Setdefault bypasses __setitem__

    Ron Garret, Oct 13, 2005, in forum: Python
    Replies:
    9
    Views:
    828
    Fredrik Lundh
    Oct 14, 2005
  4. gyan
    Replies:
    7
    Views:
    1,544
    Victor Bazarov
    May 19, 2006
  5. MisterPete
    Replies:
    4
    Views:
    514
    MisterPete
    May 30, 2007
  6. yidan
    Replies:
    0
    Views:
    1,816
    yidan
    Mar 31, 2008
  7. donet programmer
    Replies:
    3
    Views:
    2,194
    Gregory A. Beamer
    Nov 20, 2009
  8. Leslie Viljoen
    Replies:
    3
    Views:
    262
    Leslie Viljoen
    Jul 29, 2006
Loading...