Corrupt Url bypasses ASP.NET customErrors settings

Discussion in 'ASP .Net Security' started by jnappi, Jul 2, 2010.

  1. jnappi

    jnappi Guest

    A recent security scan of our website has identified a vulnerability which
    appears to be an issue with ASP.NET itself. By passing a seemingly innocuous
    yet malicious url the user will bypass the customError settings in the
    web.config and instead of getting a friendly error page, will see the "Server
    Error in '/' Application." error page.

    The underlying exception is:

    [HttpException (0x80004005): xxx is not a valid virtual path.]
    System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions
    options) +8855707

    This is easily reproduced by creating a simple website project with a
    Default.aspx page, Error.aspx page and customErrors on pointing to the
    error.aspx page. Variations of the folllowing url will cause the undesired


    This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404
    error. It appears that the bug has been fixed in 4.0, but I'm running 3.5.
    Has anyone seen this issue or have a solution?

    Just for curiousity it tried the same url on the following sites which
    exhibit the same bug.
    jnappi, Jul 2, 2010
    1. Advertisements

  2. jnappi

    hedtec Guest

    I am having the exact same problem.

    If you look at the http logs, it is listing it as a 500 error, but no matter
    what I have tried, the custom error won't catch it.

    Any help would be appreciated.
    hedtec, Jul 27, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.