Robots are trying to hack my IIS site using Apache exploits again.
The w00tw00t attacks return the yellow screen of death instead of using the custom error page as defined in web.config:
<customErrors mode="RemoteOnly" defaultRedirect="/error"/>
Any suggestions on how to get IIS to do the right thing here and redirect them?
Related
It looks like there is a bug in customErrors default redirect in web.config. In my web.config file I have the following customErrors setting
<customErrors defaultRedirect="~/generalerror.html?" mode="On" />
As far as I know this should send all errors to the custom generalerror.html page. It seems to work for some invalid URLS like
http://website.com/?x="<p>"
http://website.com/"<p>"
BUT it is not working when “&” is used in the URL and there is no “?” and there is an HTML tag. So this
http://website.com/&x="<p>"
totally ignores customErrors and you are given the default yellow Runtime Error instead of being sent to the custom generalerror.html page. How do I get this URL to also be redirected to the custom error page ?
If I turn mode="Off" in the web.config I get the following error
A potentially dangerous Request.RawUrl value was detected from the client (="/&x="<p>"").
Since you are passing HTML tags in the URL, it could be an indicative of cross-site scripting attack. Not all HTML tags are dangerous, but when HTML characters are followed by certain characters like '&' in your case, asp.net considers it as a cross-site scripting attack and doesn't allow it by default.
You should consider encoding the URL to get around this. And it is always a best practice. Here is a good explanation about XSS. And here is a link that explains in detail how to get around this issue.
To change this behavior, you can set request validation to false in web.config.
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
But in this case, requests need to be validated in the pages.
Breaking changes were made to ASP.NET request validation in .NET 4.0 and this entry is required to revert the behavior to .NET 2.0 where invalid URLs will redirect to custom error page.
<httpRuntime requestValidationMode="2.0" />
In the case where a particular ActiveX control has not been installed on my user's workstation, attempting to load a particular file extension (e.g. "*.ica") causes a 404.3 status to be thrown. I would like to redirect this to an actual page instead of having the user see either the textual content of the file (lower versions of IE) or the 404.3 page (higher versions). I know how to do a custom errors redirect:
<customErrors mode="On">
<error statusCode="404" redirect="pageNotfound.aspx" />
</customErrors>
but I can't put 404.3 in the statusCode because it only takes integers, and there doesn't seem to be any other place to put the ".3". Besides what is shown above, the customErrors.errors node has only a few "lock" attributes available. Is there a way to catch a 404.3?
ETA: Since posting this question I have determined that IIS can be instructed to handle Custom Errors. I have tried this in IIS 7.5, but even setting the desired custom error page for 404.3 does not actually work.
It is still redirecting to the default 404.3 error page.
<system.web>
<compilation debug ="true" targetFramework="2.0"/>
<customErrors mode="Off"/>
</system.web>
I'm trying to get some type of meaningful error message instead of some generic HTTP 500 error message. Usually when I set customErrors to off on my other, not related to this webpage that is giving me trouble, it usually produce a meaningful error message on my other apps.
Also this page was created in classic asp.
Classic ASP doesn't use web.config AFAIK (I've always used IIS anyway).
In IIS7, select your site, double click the "ASP" module, expand "Debugging Properties" then set "Send Errors to Browser" to True.
My setup:
Windows 7 Ultimate
IIS 7
Visual Studio 2008
The scenario:
building a simple website locally
an exception is occurring in my app (this is perfect, since I'm trying to setup a custom error page)
without customErrors setup in the web.config file, I get detailed info about the error
WITH customErrors setup in the web.config file, I get the following page when my error occurs:
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed.
There's more text than that, but I'm sure you've all seen it before. At this point, the URL is:
http://localhost/bluheron/Error.aspx?aspxerrorpath=/bluheron
So, it looks like it redirected to my error page (Error.aspx), but I'm not seeing my error text ("An error has occurred. Plese try again."). Instead, I'm getting a funky URL with loads of other text, including instructions on how to setup my web.config file, which, by the way, contains this:
<customErrors mode="On" defaultRedirect="Error.aspx" />
It's in the default location, which is inside the system.web section, which is inside configuation section.
By the way, my Error.aspx page is in the root of my app.
Can someone explain what the fancy URL is all about and why my simple error page isn't displaying?
Thanks,
Jay
The error redirect is just what happens normally with customErrors...you can however disable this behavior and preserve the original url (not sending a 302 redirecting your user to the error page's url). This will execute/send the output of your error page:
Add redirectMode="ResponseRewrite" to your customErrors declaration:
<customErrors mode="On" defaultRedirect="Error.aspx" redirectMode="ResponseRewrite" />
If you're still getting the same behavior, there's something wrong with the whole application, and you should turn customErrors off and see what the issue is (this happens with an invalid web.config and many other cases).
I've got this in my web.config and it's being hosted by the DiscountASP.net ISP
<customErrors mode="On" defaultRedirect="">
<error statusCode="404" redirect="404.aspx"/>
<error statusCode="500" redirect="404.aspx"/>
</customErrors>
I am hosting the site on DiscountASP.net and they also tell you to config it this way. I'm using Enterprise Library but I don't think that should make a difference. I don't believe I need to config anythign for a 404 in EL.
When my page loads with an error, my 404.aspx doesn't show and I get the default custom errors off message. I do not know why I don't get my 404.aspx page showing and get this instead:
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.
Have you tried using a relative path to see if that makes a difference?
<error statusCode="404" redirect="~/404.aspx"/>
Alternately, try an absolute path:
<error statusCode="404" redirect="http://www.domain.com/errors/404.aspx"/>
EDIT: As others have pointed out, and based on your comment to another answer, the 404 error page should be displayed when someone navigates to a page that doesn't exist, whereas general errors on a page could be captured by the defaultRedirect. So if you're testing the 404 then make sure you're testing with a nonexistent page. To test the defaultRedirect then have one of your pages throw an exception etc.
Is it possible that you are overriding this in another web.config, say in a sub folder? Or we can go the other way. Are you sure this is in the application root?
Is there any reason why you don't want to use the defaultRedirect for 500 errors?
You are FTP-ing the files correct? Try uploading the file as a binary file instead of text. You might be suffering from an encoding problem. I'm willing to bet right now that nothing you are doing in your web.config is working.
I found a solution here.
The real catch was using this:
Response.TrySkipIisCustomErrors = true;