Corrupt Url bypasses ASP.NET customErrors settings



A recent security scan of our website has identified a vulnerability which
appears to be an issue with ASP.NET itself. By passing a seemingly innocuous
yet malicious url the user will bypass the customError settings in the
web.config and instead of getting a friendly error page, will see the "Server
Error in '/' Application." error page.

The underlying exception is:

[HttpException (0x80004005): xxx is not a valid virtual path.]
System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions
options) +8855707

This is easily reproduced by creating a simple website project with a
Default.aspx page, Error.aspx page and customErrors on pointing to the
error.aspx page. Variations of the folllowing url will cause the undesired
behavior.

http://localhost/Default.aspx/%2fDefault.aspx%3ffree_text%3d

This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404
error. It appears that the bug has been fixed in 4.0, but I'm running 3.5.
Has anyone seen this issue or have a solution?

Just for curiousity it tried the same url on the following sites which
exhibit the same bug.

http://www.myspace.com/Default.aspx/%2fDefault.aspx%3ffree_text%3d
https://www.discountasp.net/Default.aspx/%2fDefault.aspx%3ffree_text%3d
.



Relevant Pages

  • Strange NMAP 4.0 Behavior
    ... This seems like a bug to me, but I thought I would post here prior to ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: Dangerous Roads
    ... Nice website - just discovered the name of a bug that I see regularly ... Collins Field Guide Insects, ... so called them to replace a panel that had fallen down (kid often ...
    (uk.rec.driving)
  • Re: drop-down lists and feezing panes
    ... but eventually pointed me to a bug-report website for something ... demonstrated the bug. ... lists and freeze panes together). ... How woudl one report this bug to Microsoft? ...
    (microsoft.public.mac.office.excel)
  • Re: Can i update you on the online reader im creating?
    ... Once that i fix that bug, you will have no problem with article sent ... from my website, and, my users will still be able to have attribution ...
    (news.software.readers)
  • [ANN] webgen 0.5.8 released
    ... The most notable change is that there is no distinction between website ... specifically, for example, style bundles. ... As usual, some minor enhancements, many bug fixes and many ... documentation updates made it into this release! ...
    (comp.lang.ruby)