Corrupt Url bypasses ASP.NET customErrors settings



A recent security scan of our website has identified a vulnerability which
appears to be an issue with ASP.NET itself. By passing a seemingly innocuous
yet malicious url the user will bypass the customError settings in the
web.config and instead of getting a friendly error page, will see the "Server
Error in '/' Application." error page.

The underlying exception is:

[HttpException (0x80004005): xxx is not a valid virtual path.]
System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions
options) +8855707

This is easily reproduced by creating a simple website project with a
Default.aspx page, Error.aspx page and customErrors on pointing to the
error.aspx page. Variations of the folllowing url will cause the undesired


This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404
error. It appears that the bug has been fixed in 4.0, but I'm running 3.5.
Has anyone seen this issue or have a solution?

Just for curiousity it tried the same url on the following sites which
exhibit the same bug.




I am having the exact same problem.

If you look at the http logs, it is listing it as a 500 error, but no matter
what I have tried, the custom error won't catch it.

Any help would be appreciated.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question