Installation and deployment Questions on installation, system configuration and deployment to the live server.
Version 5.x > Installation and deployment > ASP.NET Security Vulnerability View modes: 
User avatar
Member
Member
Martin H. - 9/19/2010 6:52:55 PM
   
ASP.NET Security Vulnerability
What is the best way to deal with the ASP.NET Security Vulnerability as described in
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx and http://www.microsoft.com/technet/security/advisory/2416728.mspx

We are running Kentico 5.0 on IIS 7 (Windows Server 2008 64 Bit) and ASP.NET 3.5 SP1. Our environment is configured for extension-less URLs so the IIS Error pages are configured to point to /CMSPages/handler404.aspx for the feature and 404 and 405 errors specifically. For asp.net we have defaultRedirect="~/Custom/error.html" and a specific 404 entry point to ~/CMSPages/handler404.aspx (default kentico config).

Scott Guthrie's blog post does not mention the IIS config but our asp.net config does not allow us to use the workaround suggested where the same error page is used for all errors. I believe Kentico relies on the 404 handler so I am not sure what the best solution is.


User avatar
Kentico Support
Kentico Support
kentico_jurajo - 9/20/2010 1:44:07 AM
   
RE:ASP.NET Security Vulnerability
Hi,


Since this issue was published two days ago, our developers are inspecting this and we are doing some tests. However, it seems to be a general ASP.Net issue not related to Kentico CMS and following the workaround described in the article should not affect any Kentico functionality (custom errors are set to "off" by default).

As soon as we will have any further information, we will publish a blog post on our DevNet portal (devnet.kentico.com).

Best regards,
Juraj Ondrus