Vigil@nce - Microsoft .NET: information disclosure via customErrors
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate an error in a Microsoft .NET/ASP.NET
application, in order to obtain sensitive information.
Impacted products: IIS, .NET Framework, Windows 2003, Windows 2008
R0, Windows 2008 R2, Microsoft Windows 2012, Windows 7, Windows 8,
Windows RT, Windows Vista
Severity: 2/4
Creation date: 14/04/2015
DESCRIPTION OF THE VULNERABILITY
The Microsoft .NET uses the ASP.NET customErrors directive to
define the type of error messages to be displayed.
However, when the customErrors mode is disabled, an attacker can
trigger an error in order to read details about the application.
An attacker can therefore generate an error in a Microsoft
.NET/ASP.NET application, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Microsoft-NET-information-disclosure-via-customErrors-16604