aspxerrorpath=/ in url causes custom error page to not work

Question

I'm trying to get a site pci compliant.

If you visit (dummy ip): http:someipaddress/ZNYTMHXO.ashx

Then the user correctly sees the html from the page I have stated in my web config:

However if you use the same url but with ?aspxerrorpath=/ in the query string: http:someipaddress/ZNYTMHXO.ashx?aspxerrorpath=/

Then the page displays a Server Error in '/' Application. runtime error.

This is failing the pci scan.

Why is this variable causing an issue?

Sorry I should state that ZNYTMHXO.ashx does not exist. 404 redirect works when asperrorpath is not in the querystring.

-----UPDATE----- Just to help, this is the html of the page that shows, very limited.

<!DOCTYPE html>
<html>
    <head>
        <title>Runtime Error</title>
        <meta name="viewport" content="width=device-width" />
        <style>
         body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} 
         p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
         b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
         H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
         H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
         pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}
         .marker {font-weight: bold; color: black;text-decoration: none;}
         .version {color: gray;}
         .error {margin-bottom: 10px;}
         .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
         @media screen and (max-width: 639px) {
          pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }
         }
         @media screen and (max-width: 479px) {
          pre { width: 280px; }
         }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

            <h2> <i>Runtime Error</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> Description: </b>An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.
            <br><br>

    </body>
</html>

Answer 1

The following blog post from ScottGuthrie http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx should be helpful.

He describes how to use the IIS Url Scan module to:

disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.

He was writing about a vulnerability that was reported to be patched. However some are reporting this is still problematic as late as .Net 4.0 (mentioned here: Why does the ASP.NET error page return 404 as soon as the aspxerrorpath querystring is present?)

Your PCI scan is likely trying to exploit this same vulnerability. Eliminate the vulnerability and you should pass.

Hope that helps.