This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described in post) to prevent attackers from using this vulnerability against your ASP.NET applications
This is serious I think and we need to apply the workaround as recommended
We were patch monkeys all Sunday. For nop store here is what we can do:
In web.config
Turn it on: From <customErrors mode="Off" defaultRedirect="errorpage.htm"> <error statusCode="403" redirect="bannedaddress.htm"/> <error statusCode="404" redirect="filenotfound.htm"/> </customErrors>
to <customErrors mode="On" defaultRedirect="errorpage.htm" />
--------------------------------------------- OR FOR >NET 3.5 OR UP ( 1.8 and up) -------------------------------------------- In nop store web.config From <customErrors mode="Off" defaultRedirect="errorpage.htm"> <error statusCode="403" redirect="bannedaddress.htm"/> <error statusCode="404" redirect="filenotfound.htm"/> </customErrors>
to <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script>
<html> <head runat="server"> <title>Error</title> </head> <body> <h1> We're sorry, an internal error occurred that prevents the request to complete.</h1> <p> Our supporting staff has been notified with this error and will address this issue shortly. We profusely apologize for the <b>inconvenience</b> and for any damage this may cause. You might want to try the same action at later time. </p></body> </html>
Thanks for letting us know about this. Here's a suggestion that might also help others. When I implemented this in nopCommerce 1.8 with the error.aspx page example from Scott Guthrie's blog everything worked, except that the error page inherited the nopCommerce theme! This made the message hard to read. Setting EnableTheming="false" in the @Page directive didn't work. To overcome this, I just disabled the theme by placing this snippet of code:
in the script tag and then added some styles to the page to make it look okay. Here's the entire page for ASP.NET 4.0 -- no need to compile or anything, just edit text in notepad or other text editor.