aspxerrorpath in query string can cause custom error pages to fail with Runtime Error

A bit of a strange and obscure problem here, which is why I am posting about it. I think this may be a problem with ASP.NET rather than the application but I’m willing to be proved wrong!

ASP.NET has a reserved query string variable called aspxerrorpath. This is used by default when a custom error page is invoked, i.e. if you have a 404 or 500 error, and catch it via a custom error page set up in the web.config, then the query string will be something like Error?aspexerrorpath=/Path/To/Location/Error/Occurred. The URL after the equals sign can be used to redirect or log the error page. This happens with MVC as well as Webforms.

However if there is a problem with the aspxerropath URL, for instance it is too long, then the application will fall over with a Runtime Error screen. This is probably because ASP.NET is attempting to parse the URL, it fails, but obviously can’t go back to the custom error page because otherwise it would keep going round in an infinite loop.

Although it is easily possible to remove aspxerrorpath from the error page’s URL, simply by adding an alternative query parameter, the problem is that hacker-types can still manually type it in and possibly gain a little bit more information about your site. It was highlighted as a ‘Low risk’ problem by a security company on a website of mine so I thought I should get it sorted.

I found that following ‘fix’ for another problem seemed to work for this as well, basically it just makes ASP.NET stop parsing the passed URL by instructing it to ignore URLs with aspxerrorpath in the querystring.

http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

Note I am using .Net 4.0, and the above is an old blog post, so there still seems to be some issues with it. I’m not entirely sure why they can’t remove it altogether!

Advertisements