+1-888-365-2779
Try Now
More in this section

Forums / Security / ASP.NET Security Vulnerability

ASP.NET Security Vulnerability

6 posts, 1 answered
  1. Burl
    Burl avatar
    8 posts
    Registered:
    12 Apr 2008
    20 Sep 2010
    Link to this post
    Hi,

    Scott Guthrie just released a blog about a major security vulnerability in all versions of ASP.Net.
    http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

    Any changes to the Sitefinity web.config other than what's reported in this workaround needed until a fix is released?

    Thanks, Burl

    Update: Link to the Blog.... http://www.sitefinity.com/blogs/gabesumner/posts/10-09-20/asp_net_security_vulnerability_makes_sitefinity_vulnerable.aspx
  2. Radoslav Georgiev
    Radoslav Georgiev avatar
    3370 posts
    Registered:
    01 Feb 2016
    20 Sep 2010
    Link to this post
    Hello Burl,

    Thank you for using our services.

    There are no other changes than the ones proposed as a workaround in Scott Gu's blog. We are going to publish a blog post covering the same steps for a Sitefinity website.

    Regards,
    Radoslav Georgiev
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
    Answered
  3. Rabindra
    Rabindra avatar
    106 posts
    Registered:
    17 May 2009
    21 Sep 2010
    Link to this post
    Hi,
    I commented the default line and added the second line. I created error.aspx page on the root but when I test the page I get runtime error page. Any reason why it's not redirecting to error.aspx page?
    Please advise..
    <customErrors mode="On">
         <!--<error redirect="~/Sitefinity/nopermissions.aspx" statusCode="403" />-->
         <error redirect="~/error.aspx" statusCode="403" />
         <error redirect="~/pagenotfound.aspx" statusCode="404" />
    </customErrors>

    I am using sitefinity SP2
  4. Radoslav Georgiev
    Radoslav Georgiev avatar
    3370 posts
    Registered:
    01 Feb 2016
    21 Sep 2010
    Link to this post
    Hello Rabindra,

    If your error pages are in the root of the website (or are top level CMS pages) you can try omitting the ~/ in the path to the error page:
    <customErrors mode="On">
         <!--<error redirect="~/Sitefinity/nopermissions.aspx" statusCode="403" />-->
         <error redirect="error.aspx" statusCode="403" />
         <error redirect="pagenotfound.aspx" statusCode="404" />
    </customErrors>


    Sincerely yours,
    Radoslav Georgiev
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  5. Rabindra
    Rabindra avatar
    106 posts
    Registered:
    17 May 2009
    21 Sep 2010
    Link to this post
    Hi Radoslav,
    I think I didn't read the instruction very well. So, now I changed to this and it's working.
    <customErrors mode="On" defaultRedirect="~/error.aspx">
         <error redirect="~/Sitefinity/nopermissions.aspx" statusCode="403" />
         <error redirect="~/pagenotfound.aspx" statusCode="404" />
    </customErrors>

    thanks
  6. David Pearson
    David Pearson avatar
    54 posts
    Registered:
    17 Jul 2012
    21 Sep 2010
    Link to this post
    Hi all, I am also currently working on this for my sites. 

    I ended up creating a master template for my error pages, with the delay install in the page load.  Wondering if this is a good solution.  I tried adding redirectMode="ResponseRewrite", this appear to break the redirect.

Register for webinar
6 posts, 1 answered