diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)


ASP.NET Vulnerability (Security Advisory 2416728) Workaround Update

Microsoft updated SA2416728 to include a step in the workaround requiring blocking of requests that specify the app error path on querystring. This additional step can be done at a server-wide level, and it doesn’t replace other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it:

Install and Enable IIS URLScan [x86, x64] with a Custom Rule. Add an Addition URL Scan Rule. Once URLScan is installed, open and modify UrlScan.ini file in this location: %windir%\system32\inetsrv\urlscan\UrlScan.ini —Near the bottom of UrlScan.ini file you’ll find [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save file:


Above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET apps, and will instead cause web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between different types of errors occurring on a server – which helps block attacks using this vulnerability. After saving this change, run “iisreset” from elevated command prompt for the above changes to take effect. To verify the change has been made, try accessing a URL on your site/app that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.


Share This Story, Choose Your Platform!

Get Latest News

Subscribe to Digital News Hub

Get our daily newsletter about the latest news in the industry.
First Name
Last Name
Email address
Secure and Spam free...