Corrupt Url bypasses ASP.NET customErrors settings

A recent security scan of our website has identified a vulnerability which
appears to be an issue with ASP.NET itself. By passing a seemingly innocuous
yet malicious url the user will bypass the customError settings in the
web.config and instead of getting a friendly error page, will see the "Server
Error in '/' Application." error page.

The underlying exception is:

[HttpException (0x80004005): xxx is not a valid virtual path.]
System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions
options) +8855707

This is easily reproduced by creating a simple website project with a
Default.aspx page, Error.aspx page and customErrors on pointing to the
error.aspx page. Variations of the folllowing url will cause the undesired


This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404
error. It appears that the bug has been fixed in 4.0, but I'm running 3.5.
Has anyone seen this issue or have a solution?

Just for curiousity it tried the same url on the following sites which
exhibit the same bug.