aspxerrorpath = / url中导致自定义错误页到不行 [英] aspxerrorpath=/ in url causes custom error page to not work

问题描述

我试图让一个网站符合PCI规范。

如果您访问（虚拟IP）：
    HTTP：someipaddress / ZNYTMHXO.ashx

然后用户正确地看到从我在web配置都表示页面的HTML：
        
            
        

然而，如果你使用相同的URL，但与aspxerrorpath = /查询字符串？
    HTTP：someipaddress / ZNYTMHXO.ashx aspxerrorpath = /

然后，页面显示/应用程序中的服务器错误。运行时错误。

这是失败的PCI扫描。

为什么这个变量引起的问题？

对不起，我应该声明ZNYTMHXO.ashx不存在。 404重定向的作品时asperrorpath不在查询字符串。

----- -----更新
只是帮助，这是页面显示的HTML，非常有限的。

 ＆LT;！DOCTYPE HTML＆GT;
＆LT; HTML和GT;
    ＆LT; HEAD＆GT;
        ＆LT;标题＆GT;运行时错误＆LT; /标题＆GT;
        ＆LT; META NAME =视口CONTENT =WIDTH =设备宽度/＆GT;
        ＆LT;风格＆GT;
         身体{FONT-FAMILY：宋体;字体重量：正常;字体大小：.7em;颜色：黑色;}
         p {FONT-FAMILY：宋体;字体重量：正常;颜色：黑色;的margin-top：-5px}
         B {FONT-FAMILY：宋体;字体重量：大胆;颜色：黑色;的margin-top：-5px}
         H1 {FONT-FAMILY：宋体;字体重量：正常;字体大小：18pt;颜色：红}
         H2 {FONT-FAMILY：宋体;字体重量：正常;字体大小：14pt;颜色：栗色}
         pre {FONT-FAMILY：索拉，龙力控制台，等宽字体;字体大小：11磅;保证金：0;填充：0.5em;线高度：14pt}
         .marker {字体重量：大胆的;颜色：黑色;文字修饰：无;}
         .version {颜色：灰色;}
         .error {保证金底：10px的;}
         .expandable {文字装饰：下划线;字体重量：大胆的;颜色：海军;光标：手; }
         @media屏（最大宽度：639px）{
          pre {宽度：440px;溢出：汽车;空格：pre-包装;自动换行：打破字; }
         }
         @media屏（最大宽度：479px）{
          pre {宽度：280像素; }
         }
        ＆LT; /风格＆GT;
    ＆LT; /头＆GT;    ＆LT;车身的bgcolor =白＆GT;            ＆LT;跨度＆GT;＆LT; H1＆gt;以/应用程序中的服务器错误＆LT; HR WIDTH = 100％大小= 1 =颜色银色＆GT;＆LT; / H1＆GT;            ＆LT; H2＆GT; ＆LT; I＆GT;运行时错误＆LT; / I＆GT; ＆LT; / H＆GT;＆LT; / SPAN＆GT;            ＆LT;字型=宋体，黑体，日内瓦，SunSans正规，无衬线＆GT;            ＆LT; B＆GT;说明：其中; / B＆GT;处理您的请求时发生异常。此外，在执行自定义错误页的第一个异常发生另一个异常。该请求已被终止。
            ＆LT; BR＆GT;＆LT; BR＆GT;    ＆LT; /身体GT;
＆LT; / HTML＆GT;
 

解决方案

这ScottGuthrie下面的博客帖子的http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx应该是有帮助的。

他介绍了如何使用IIS URL扫描模块：

  

不允许有一个网址，aspxerrorpath =查询字符串属性
  从使他们的方式向ASP.NET应用程序，并会导致代替
  web服务器返回一个HTTP错误。添加此规则prevents
  从不同类型的错误区分的攻击者
  发生在服务器上 - 这有助于利用此块攻击
  漏洞。

他正在写有关报道进行修补漏洞。然而，一些报告这个还是有问题迟.NET 4.0（这里所说的：<一href=\"http://stackoverflow.com/questions/4097184/why-does-the-asp-net-error-page-return-404-as-soon-as-the-aspxerrorpath-querystr\">Why确实在ASP.NET错误页面返回404只要aspxerrorpath查询字符串是present？）

您PCI扫描可能会试图利用此同一漏洞。消除这些弱点，你应该通过。

希望有所帮助。

I'm trying to get a site pci compliant.

If you visit (dummy ip): http:someipaddress/ZNYTMHXO.ashx

Then the user correctly sees the html from the page I have stated in my web config:

However if you use the same url but with ?aspxerrorpath=/ in the query string: http:someipaddress/ZNYTMHXO.ashx?aspxerrorpath=/

Then the page displays a Server Error in '/' Application. runtime error.

This is failing the pci scan.

Why is this variable causing an issue?

Sorry I should state that ZNYTMHXO.ashx does not exist. 404 redirect works when asperrorpath is not in the querystring.

-----UPDATE----- Just to help, this is the html of the page that shows, very limited.

<!DOCTYPE html>
<html>
    <head>
        <title>Runtime Error</title>
        <meta name="viewport" content="width=device-width" />
        <style>
         body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} 
         p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
         b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
         H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
         H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
         pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}
         .marker {font-weight: bold; color: black;text-decoration: none;}
         .version {color: gray;}
         .error {margin-bottom: 10px;}
         .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
         @media screen and (max-width: 639px) {
          pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }
         }
         @media screen and (max-width: 479px) {
          pre { width: 280px; }
         }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

            <h2> <i>Runtime Error</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> Description: </b>An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.
            <br><br>

    </body>
</html>

解决方案

The following blog post from ScottGuthrie http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx should be helpful.

He describes how to use the IIS Url Scan module to:

disallows URLs that have an "aspxerrorpath=" querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.

He was writing about a vulnerability that was reported to be patched. However some are reporting this is still problematic as late as .Net 4.0 (mentioned here: Why does the ASP.NET error page return 404 as soon as the aspxerrorpath querystring is present?)

Your PCI scan is likely trying to exploit this same vulnerability. Eliminate the vulnerability and you should pass.

Hope that helps.

这篇关于aspxerrorpath = / url中导致自定义错误页到不行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！