ASP.NET Custom Errors Security Flaw

Updated 5 October 2010: There is now a patch available via Windows Update. Read more about it here, and ensure all ASP.NET web servers have been patched ASAP.

Microsoft just released some details on a security flaw that was publicized a few hours ago. On this post, you can learn more about the ASP.NET vulnerability and how to detect whether your web sites might be affected by them. This is a serious flaw that you should take steps to address as soon as possible, since the attack can be performed by anybody with the available tools, in less than a minute, and can provide them with access to any file the site has access to (including web.config), as well as potentially root level access to the machine. This YouTube video shows the use of the tool (POET) in action.

In order to detect sites on your server that may be vulnerable, copy the script provided here to a file on your server named DetectCustomErrors.vbs. Next, open a command line window as administrator and run the following command (I ran it from d: which is the root folder of my drive where my web sites are located):

cscript DetectCustomErrors.vbs

The output will be something like the following:


Once you’ve identified the config files that are vulnerable, the simplest solution is to provide a single custom error page, like so:

Do not include separate error codes for 404, 500, etc. The attack relies on gaining information from the variability in error codes. You need to set a single defaultRedirect. It’s also insufficient to have no defaultRedirect.

The way the exploit works is by gaining information from which errors are returned and potentially from how long it takes for a given error to be returned. By always returning the same static file in response to any error, you deny the attacker this information and maintain the security of the application.

Don’t forget to apply this fix to non-production-but-public sites as well. If you have publicly accessible test, stage, beta, etc sites, they need to be addressed unless they are in a completely locked down DMZ, since anything on their machine could be compromised by this exploit.

Please share this post and the information in it as widely as possible. As of this moment, virtually any ASP.NET web site online can potentially be compromised with about a minute’s work. By working together quickly, we (developers and IT pros) should be able to eliminate this vulnerability quickly, saving our companies and clients from potentially large losses.

Update – There’s a slight bug in the script as published. Change line 123:

from : EnumWebConfig(objDir.Path)

to: EnumWebConfig(physicalPath)

Update Update: The above fix on line 123, and several others, are incorporated into the script now. ScottGu also has posted details about the vulnerability and how to work around it.

Additional Resources:

If you have a load balancer, you may be able to apply one rule to protect your sites

  • Andrew Rea

    After applying the small fix in your update I still get the following error when running that script:

    DetectAspSecurityHole.vbs(201, 5) Microsoft VBScript runtime error: Object doesn’t support this property or method: ‘xmlnode.getAttribute’

  • ssmith

    Microsoft (and some of us) are working on making the script more reliable. You can of course manually look at your sites’ config files and ensure they’re not sending back anything but a single static customError page. Expect a blog from in the very near future with a more reliable script.

  • Andrew Rea

    Ok cool cheers for that.

  • Andrew Rea

    This is pretty mad:…/demo-aspnet-pad

    Any idea where we can find the download for POET for ASP.NET?

  • Безбедносна мана во ASP.NET

    Scott Guthrie штотуку објави блог артикал на официјалната страна на дека вчера (17 Септември

  • ASP.NET security exploit information

    Here is a link with information regarding the exploit.…/2416728.mspx

  • pepe


  • バーバリー

    Good post. I am a normal visitor of your web site and appreciate you taking the time to maintain the nice site. I will be a regular visitor for a long time.