MVC - CustomErrors does not work when setting redirectMode=“ResponseRewrite”

Question

Hello, I have an ASP.NET 4.0 MVC web application running on IIS 6.0 with a webconfig custom error section of:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/Home/Error">
  <error statusCode="403" redirect="/Home/Error"/>
  <error statusCode="404" redirect="/Home/Error"/>
</customErrors>

and an error.aspx page that looks like this:

<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master" Inherits="System.Web.Mvc.ViewPage<System.Web.Mvc.HandleErrorInfo>" %>

<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<asp:Content ID="Content1" ContentPlaceHolderID="TitleContent" runat="server">
    Error
</asp:Content>

<asp:Content ID="Content2" ContentPlaceHolderID="MainContent" runat="server">

    <h2>Error Processing your request.</h2>

</asp:Content>

<asp:Content ID="Content3" ContentPlaceHolderID="Scripts" runat="server">
    <script runat="server">
       void Page_Load() {
          byte[] delay = new byte[1];
          RandomNumberGenerator prng = new RNGCryptoServiceProvider();

          prng.GetBytes(delay);
          Thread.Sleep((int)delay[0]);

          IDisposable disposable = prng as IDisposable;
          if (disposable != null) { disposable.Dispose(); }
        }
    </script>
</asp:Content>

Whenever i include the above "redirectMode="ResponseRewrite"" in the webconfig custom errors section the redirect to my custom errors page no longer works and i get the page error of "Server error in "/" application - resource cannot be found". In fact the controller action is ignored as well. When i take that setting our everything works as it should. I am trying to incorporate Scott Gu's workaround for the Asp.net securtiy vulnerability listed here: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Any help would be greatly appreciated. Thanks, Billy

Answer 1

Unfortunately, you cannot have any <error> tags within the <customErrors> block according to Scott Guthrie. They are definitely working on a patch, but in the mean time, you have to use a very simple <customErrors> section like the following:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />

Answer 2

I'm looking for the same answer. Mr. Anderson's response, though, is not accurate. Scott is recommending homogeneity of response codes. Their .vbs test script looks for several conditions. The 404 and 500 error codes are all he looks for a redirect on. If they're the same, the script is happy. If one is null, the other must match the default redirect. Again, that tests for homogeneity. As long as your 404 and 500 responses are indistinguishable, his script will green-light your code.

The value of the ResponseRewrite appears to be to bypass the 302 response IIS returns. I gather that 302 can returned prior to any handled 404 or 500 error, and give the attacker timing information. I'm not sure you can do without the ResponseRewrite (and Microsoft certainly says you cannot.)

Answer 3

The problem I had when trying to implement this on our MVC app was we were using an MVC URL that requires routing to work as the defaultRedirect. Unfortunately since a server.transfer is being performed with the ResponseRewrite redirectMode this doesn't work. Instead I had to make the error url point directly to the aspx file. Also you no longer have access to session which is another common problem people have when using the ResponseRewrite redirectMode.